TabShots, the first effective clientside countermeasure against tabnabbing attacks. Tabnabbing, a surprisingly sly variant of phishing, allows a Web attacker to obtain the user’s credentials, thereby enabling the threat to impersonate a user by establishing a session. Since the user’s credentials allow the attacker not only to establish a session but also to bypass any additional in-session authentication checks, a phishing or tabnabbing attack can lead to worse consequences than any of the previously discussed attacks.
In a tabnabbing attack, an innocuous page visually disguises itself as a login page for a legitimate application when the user is not paying attention. Since the tabnabbing page is fully controlled by the Web attacker, detection mechanisms that depend on the underlying structure of the page, such as the HTML elements and attributes, are likely susceptible to evasion. Therefore, TabShots is based on screenshots of a browser’s tab, essentially analyzing the same view as seen by the user. To prevent the user from entering credentials in a fraudulent phishing form, TabShots highlights the parts of the page that have changed since the last visit, visually alerting the user of a “phishy” situation.
TABSHOTS: CLIENT-SIDE DETECTION OF TABNABBING ATTACKS
As the Web grows larger and larger and as the browser becomes the vehicle of choice for delivering many applications of daily use, the security and privacy of Web users is under constant attack. Phishing is as prevalent as ever, with antiphishing communities reporting thousands of new phishing campaigns each month. In 2010, tabnabbing, a variation of phishing, was introduced. In a tabnabbing attack, an innocuous-looking page, opened in a browser tab, disguises itself as the login page of a popular Web application, when the user’s focus is on a different tab. The attack exploits the trust of users for already opened pages and the user habit of long-lived browser tabs.
To combat this recent attack, we propose TabShots. TabShots is a browser add-on that helps browsers and users to remember what each tab looked like before the user changed tabs. Our system compares the appearance of each tab and highlights the parts that were changed, allowing the user to distinguish between legitimate changes and malicious masquerading. Using an experimental evaluation on the most popular sites of the Internet, we show that TabShots has no impact on 78% of these sites and very little on another 19%. Thereby, TabShots effectively protects users against tabnabbing attacks without affecting their browsing habits and without breaking legitimate popular sites.
Phishing, the process that involves an attacker tricking users into willingly surrendering their credentials, is as prevalent as ever. PhishTank, a volunteer-driven site for tracking phishing pages, in their latest publicly available report, reported a total of 22,851 valid phishing attempts just for July of 2012. In these attacks, an attacker targets the user and capitalizes on a user’s inability of distinguishing a legitimate page from one that looks legitimate but is actually fraudulent. Phishing attacks can be conducted both on a large and small scale, depending on an attacker’s objectives. The latest publicized attack involved the use of “spear phishing”, a type of phishing that is targeting highly specific individuals and companies.
TabShots, a countermeasure for detecting changes to a site when its tab is out of focus. TabShots allows a browser to “remember” what the tab looked like before it lost focus, and compare it with the appearance after regaining focus. More precisely, whenever a tab is fully loaded, TabShots records the favicon and captures a screenshot of the visible tab. Whenever a user revisits a tab, a new capture is taken and compared to the previously stored one. If any changes are detected, the user is warned by adding a visual overlay on the current tab, showing exactly the content that was changed, assisting the user in distinguishing between legitimate changes and tabnabbing attacks. Our system is based on the user’s visual perception of a site and not the HTML representation of it, allowing TabShots to withstand attacks that straightforwardly circumvent previously proposed, tabnabbing-detection systems. We implement TabShots as a Chrome add-on and evaluate it against the top 1,000 Alexa sites, showing that 78% of sites fall within a safe threshold of less than 5% changes, and an additional 19% fall within the threshold of less than 40% of changes. This means that TabShots effectively protects against tabnabbing attacks, without hindering a user’s day-to-day browsing habits.