Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-25-2010, 09:15 AM
|
#1
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Devious New Phishing Tactic Targets Tabs
Quote:
Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.
As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.
|
Complete Article
Thanks to Slashdot for covering this.
|
|
|
05-25-2010, 09:58 AM
|
#2
|
Member
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Rep:
|
Very neat - and so simple. Thanks for the heads up.
|
|
|
05-25-2010, 10:19 AM
|
#3
|
Member
Registered: Mar 2010
Location: Nova Scotia, Canada
Distribution: Ubuntu & Fedora
Posts: 189
Rep:
|
Thanks. Another reason for my dislike of tabs.
|
|
|
05-25-2010, 12:29 PM
|
#4
|
LQ Veteran
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
|
Good grief, this is truly evil. I wonder how tied to javascript this actually is. Is there another way to do this, or is NoScript reasonable protection?
|
|
|
05-25-2010, 12:59 PM
|
#5
|
Member
Registered: Feb 2010
Location: /Earth/UK/England/Hampshire
Distribution: Debian, Ubuntu, CentOS, Slackware
Posts: 262
Rep:
|
One of the Usenet regulars has posted a clearer Facebook example. This is really quite nasty, but can be mitigated with 'noscript'.
http://www.elblowfly.org.uk/tagnab/
|
|
|
05-27-2010, 08:27 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
Original Poster
|
From the changelog for the most recent NoScript release (1.9.9.81):
Code:
+ Experimental blocking of page refreshes happening inside untrusted
unfocused tabs, should provide protection against Aviv Raff's scriptless
"tabnabbing" variant. Enabled by default, can be controlled through the
noscript.forbidBGRefresh about:config integer preference:
0 - no blocking
1 - block refreshes on untrusted unfocused tabs
2 - block refreshes on trusted unfocused tabs
3 - block refreshes on both trusted and untrusted unfocused tab
Address patterns matching pages which shouldn't be affected can be
listed in the noscript.forbidBGRefresh.exceptions preference
Last edited by win32sux; 05-27-2010 at 08:30 PM.
|
|
|
All times are GMT -5. The time now is 09:48 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|