Tab Napping ( A new phishing technique )




Concept of phishing and Tab napping :
In previous times hackers used to create fake login pages of many popular sites and hosted that pages to any hosting sites such as t35,110mb and also 000webhost. Then the thing was to spread the link and to send that link to the victim Via email spoofing or something else. ( I used to do that by shortening a Url ) . But with the updated browsers and more security that way is out of this world now. But in May 2010 , A mozilla employee outlined a sly new attack tactic dubbed "tabnapping" that can dupe users into giving up passwords by secretly changing already-open browser tabs.

Yes that is possible that you can change the already opened tabs in any browser by using a small script. The is that people browse now a days by using tabbed browsers and sometimes the open ( Me too) a lot of tabs and then forget to go to others tab or often they don't find time to do so. We may call it as an idle tab, So fortunately or unfortunately we can redirect that idle tab to any phishing page. So that is a basic concept of Tab napping. 


Here, i am showing a tutorial that how hackers make it possible :
Almost all the tabbed browsers are vulnerable to this attack.
Note: All the short description shown is for educational purpose.
First of all you may need a free hosting also for this purpose. I shall suggest you t35 , 110mb.
Now you must have a basic knowledge of creating html ( For learning html go to www.w3schools.com) pages or if you don't have then don't worry. You may select  a hot news page or any headline or else a popular page. Just select its source code and make a duplicate of it. Use dreamweaver or Notepad++. And you change the headings there. and also a bit content at that page. So, We may call it page A.

Now, We have to make that tab napping exploit and insert that in page A . I have created a one. You may download it below :

Download Exploit (On clicking this link skip the add from uper top right corner)

Now, You will have to create a B page (that is the phishing page { learn how to make a phishing page}). and you should insert the above script in page A. Now you have to send the page A link to the victim and when he opens it. He may open other tabs and when this tab of page A will become idle the victim will be redirected to your phishing page ( You will specify time in script ).

How to insert exploit in Page A or original page(May contain Hot news,Something fascinating) URL in script :
 
You have to replace above highlighted portions to your own phishing page Url or a cookie stealing Url inorder to hack his/her acount. And thats it. Page A upon becoming idle will redirect to page B (the phishing page)
In my script i specified 10 sec to redirect on becoming idle.


So, thats the trick that hackers use.


How to prevent tab napping :
While using tabbed browsing and going to other tabs do look at the url shown above. Or else you will login to a facebook or orkut etc phishing page and you will login thinking that you have opened it.
Use latest Nod 32 personal security version. You may search this blog to get it for free.
JavaScript is used by many websites for the different purposes if you disable it than you can avoid to infect by tab-napping. But it is not legitimate solution to do this.
The best technique to protect your self from tab-napping is to use a script called NoScript, It is a free add-in for Firefox browser.