Internet Security Systems - AlertCon(TM)

Playing With Tabnabbing

Posted by Michael Montecillo on July 30, 2010 at 6:45 AM EDT.

Let's not beat around the bush, phishing is nasty, and it is aimed at exploiting the one weakness that technology will most likely never be able to solve — human gullibility. With recent reports of scammers resorting to ruthless measures such as using fake technical support calls (1) to direct victims to malicious sites, it is undeniably not a good time  for a new phishing attack methodology. Especially one that is extremely difficult to detect. Unfortunately, security professionals rarely (if ever) catch a break and a new delivery mechanism for phishing has emerged called Tabnabbing.

Tabnabbing is a method by which an attacker can leverage javascript coding to hijack a users tab and create a phishing attack. In particular the onBlur() and onfocus() functions of the window object within javascript are leveraged to make a determination of when a user is no longer focused on a particular tab. Once the user has taken their attention off a tab for a specified amount of time, the attacker can then generate a phishing site in place of the previously visited site. In the proof-of-concept code, originally released by Aza Raskin of Mozilla, the malicious code also alters the tab title and the favicon by leveraging Ajaxify's favicon javascript API(2).

This however, is not generally necessary. As Aza aptly points out in his post, this type of attack can be altered in a manner that makes the attack more lethal by skipping the changing of icons and simply replicating a website in combination with DNS squatting. In order to fully research the legitimacy of this issue the MSS Threat Analysis team created an internal iteration of a tabnabbing attack for research. The internal iteration focuses on leveraging the onBlur() and onFocus() functions to redirect users to a totally different URL based on their browsing history. With a reasonably fast Internet connection this is almost as seamless as generating a new page within the Tabnabbing javascript code. It is much easier to create a framework for using this type of technique to redirect users to any number of malicious phishing sites. Also, the original proof-of-concept code for Tabnabbing (as created by Aza) is already detected by several security countermeasures including endpoint antivirus, the proof-of-concept code created by MSS currently is not detected by any security mechanisms it was tested against.

Aza’s POC as Detected by an Antivirus solution



The MSS Threat Analysis team proof-of-concept code works by first introducing a malicious JSCRIPT file on a website. This can be planted in any number of ways including, within an advertisement or even as part of a persistent cross-site scripting attack. Regardless, the victim will be exposed to a simple piece of code calling the malicious JSCRIPT such as:

<script src="Tabnabbing_attack.js"></script>

Step 1: The user is exposed to the Tabnabbing Javascript code

Once accessed, the malicious script would then leverage the onBlur() and onFocus() functions to determine when a victim is focused on a specific tab. In particular, the onBlur() function would determine when a victim has clicked off of a tab, this will start a timer that will determine when the page is redirected to a malicious site. If the user should happen to click back to the tab before the redirect has begun, the OnFocus() function will be used to reset the timer. This helps to ensure the user is not paying attention when the redirect occurs.

Step 2: The user clicks off of the tab where the code is running

Before the redirect occurs however, a simple technique to determine whether the user has visited particular sites is leveraged. In order to achieve this, the code sets the page’s link colors settings, next pre-defined website URL’s are assessed to determine what color they would be displayed as. If the link color is the same as the set color for a visited URL, it is assumed that the user has visited that URL from that browser in the past. This code helps to target the attack as well as to include multiple payloads (in the form of redirection to phishing sites) in a single script. Once the script has determined a visited URL, the redirect occurs and the victim is free to enter their data into the phishing site.

Step 3: A redirect occurs (if you don’t see it, check the image in Step 2)


 

Step 4: The victim is now set to enter their information at the phishing site


 

This brings three primary issues into focus. First and foremost there is the issue of leveraging the browser as a platform for tricking a user. Unfortunately, the average user sacrifices a great deal of security in lieu of better functionality. As a result, scripts are constantly running within a web browsing session without the average user’s knowledge. The second issue is the issue of privacy. While most users would prefer that their browsing history is not easily discernible by a malicioius website, simple code can be crafted to leverage the javascript Document Object Model's (DOM) use of colors to determine what URL's have and have not been visited. Finally, there is the issue of the human element. Despite the issues of privacy and the issues of the browser as a platform, the attack is useless until the victim enters in their sensitive information.

Sadly, none of these issues are simple to solve. However, it is important to offer some level of protection against these attacks. Given the simplicity with which this attack is created, in combination with how difficult it is to detect, and the value of the data that could be stolen, it is highly likely that some future iteration of Tabnabbing will be seen on a large scale in the wild.

Of course, some level of security can be ensured by leveraging script blocking utilities which will attempt to prevent languages such as javascript from running in a browsing session without the explicit consent by a user. Content filtering systems can be leveraged to block malicious websites as they arise and browser privacy can be protected with private browsing capabilities within particular browsers. Finally, to help prevent successful attacks against the human element, education can be leveraged to help create more vigilant users. Regardless of all these efforts, there will certainly still be issues that slip through the cracks and thus, phishing attacks leveraging new vectors such as Tabnabbing aren't going anywhere soon.

Resources:
1. PC Pro “Unstoppable 'tech support' scam” By Barry Collins
2. http://softwareas.com/dynamic-favicon-library-updated
3. XSS Attacks by Jeremiah Grossman, Robert “Rsnake” Hansen, Petko “pdp” D. Petkov, Anton Rager, Seth Fogie
4. Aza Raskin, “A New Type of Phishing Attack” http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.