This article was published on May 25, 2010

Yet another phishing attack to be aware of. This one’s sly and nasty.


Yet another phishing attack to be aware of. This one’s sly and nasty.

Those hackers.  They’re just getting smarter all the time.  Aza Raskin, the creative lead for Firefox, gives us the latest version of “trickier than you”.

Have you ever had a few tabs open in your Firefox, went away for a bit and then forgotten what you were looking at in the first place?  This is exactly what Raskin is showing as a target scenario.

Let’s say you’re browsing a few channels here on TNW, and you look up to realize that a tab is open to your Gmail.  So, of course you’re going to click the tab and login, then be taken directly to your gmail account.  No harm done, eh?

Right.  Except that you just gave your login information to a phisher.

The idea lies in a very simple Javascript that pays attention to what you’re watching.  If you click off of a tab (or into another program) for a mere 5 seconds, the script goes into action and refreshes that hidden tab to a screen that looks identical to the Gmail login.  So you unwittingly enter your information and are then taken into your Gmail, because you never logged out to begin with.

Raskin goes on to explain how a simple sniffer of CSS files can show off a breadcrumb trail of where you’ve visited, such as Twitter, your bank or otherwise.  Dangerous ground, to say the least.

Google is chiming in about the situation, as Aza has been having a discussion over Twitter with Matt Cutts, Google’s webspam guru.

Clearly Googlers recognize the value in understanding how white-hat hacking works.  According to Cutts:

the next step would be to only bait-and-switch the page/favicon if you could detect that more than >N browser tabs were open..

Though you can rest easy…for now.  Raskin replies that he’s not certain how he’d go about implementing Cutts’ idea, expounding by saying that

I can’t think of anyway to detect the number of tabs currently open — although perhaps heuristically. Good call, though.

Do yourselves a favor, folks.  Make certain that you’re using a browser that diligently looks for and warns you about phishing attacks.  Then take your security one step further by using antivirus and anti-malware software.  By now, it should go without saying.

Get the TNW newsletter

Get the most important tech news in your inbox each week.