A New Type of Phishing Attack

[Jojo999]

Is there anything that NS can do about this new problem?
--------------
A New Type of Phishing Attack
http://www.azarask.in/blog/post/a-new-t ... ng-attack/

[Giorgio Maone]

As pointed out by Brian Krebs, NoScript does block this kind of attack.

[Jojo999]

NOT allowing Javascript to run wasn't what I was thinking.

When I go to a site, I choose what scripts to allow based on the list that NS presents. Often, I might not see anything displayed on the page, until I allow one or more scripts to run. But I am blind doing this as I have no easy way to tell WHICH script I should allow. So I generally try them one at a time until I see stuff displayed on the site.

Something more automatic than a script on/off toggle is needed (if at all possible).

[therube]

Any protection against browser history snooping via CSS?

[Giorgio Maone]

Something more automatic than a script on/off toggle is needed (if at all possible).

Oh well, you may for instance take advantage of the Script Surrogates feature in order to prevent the document's title from being changed:
noscript.surrogate.stickyTitle.sources=

Code: Select all

@*

noscript.surrogate.stickyTitle.replacement=

Code: Select all

var getTitle = document.__lookupGetter__("title"); var setTitle = document.__lookupSetter__("title"); document.__proto__.__defineSetter__("title", function() {}); document.addEventListener("DOMContentLoaded", function(ev) {var title = getTitle.call(document); setInterval(function() { if (title != getTitle.call(document)) setTitle.call(document, title) }, 250); }, false);

You can do the same with the favicon, or (but it might be slightly more complicated) prevent onblur events from being registered or executed.

Really, with a bit of JavaScript knowledge, you can make surrogates almost for anything.

[Jojo999]

"Really, with a bit of JavaScript knowledge, you can make surrogates almost for anything."

Ah, but I don't have even a bit of Javascript knowledge.

I will try to understand the link you refer to though.

[Alan Baxter]

As pointed out by Brian Krebs, NoScript does block this kind of attack.

http://krebsonsecurity.com/2010/05/devi ... gets-tabs/

Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.

“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”

The proof-of-concept works on my NoScript test profile with default NS settings.

[Jojo999]

The proof-of-concept works on my NoScript test profile with default NS settings.

Yes, mine also, which is why I initiated this thread.

[therube]

Code: Select all

<html>
<head>
<title>
  Gmail: Email from Google
</title><link REL="SHORTCUT ICON" HREF="https://mail.google.com/favicon.ico"></head>
<body style="margin:0px"><img src="http://img.skitch.com/20100524-b639xgwegpdej3cepch2387ene.png" />
</body>
</html>

You may need to copy/paste & or reload? http://avivraff.com/research/phish/arti ... ?854817837

I'm kind of confused as to what's going on.

Like after you get the "gmail" web page, if you reload, you're "redirected" back to a (bogus) Krebs on Security page, from where NoScript will then block a <META> redirection (a 404 at avivraff.com).

Code: Select all

onclick="javascript:ckratingKarma('6067', 'add', 'krebsonsecurity.com/wp-content/plugins/comment-rating/', '1_16_');

What does coding like that do? Is that "inline" JavaScript or something or the other? Is that blocked by NoScript (assuming the site is not allowed).

Looking further at the "Krebs on Security" page it makes a bit more sense. The kind of sense that it is all just a redirection from what is - which makes it confusing & so could ? be effective in the wrong hands.

(Think Mozilla <including Giorgio> are looking at this in locked Bugzilla reports?)

[Jojo999]

I tried to insert your code into USER.JS

// Experimental for NoScript to block changing the page title
user_pref("noscript.surrogate.stickyTitle.sources", "@*");
user pref("noscript.surrogate.stickyTitle.replacement", "var getTitle = document.__lookupGetter__("title"); var setTitle = document.__lookupSetter__("title"); document.__proto__.__defineSetter__("title", function() {}); document.addEventListener("DOMContentLoaded", function(ev) {var title = getTitle.call(document); setInterval(function() { if (title != getTitle.call(document)) setTitle.call(document, title) }, 250); }, false);");

This worked and shows up in about:config
user_pref("noscript.surrogate.stickyTitle.sources", "@*");

But this statement does not show up.
user pref("noscript.surrogate.stickyTitle.replacement", "var getTitle = document.__lookupGetter__("title"); var setTitle = document.__lookupSetter__("title"); document.__proto__.__defineSetter__("title", function() {}); document.addEventListener("DOMContentLoaded", function(ev) {var title = getTitle.call(document); setInterval(function() { if (title != getTitle.call(document)) setTitle.call(document, title) }, 250); }, false);");

Is there an error in it? Can a statement go across multiple lines in USER.JS?

[therube]

Try these:

Code: Select all

user_pref("noscript.surrogate.stickyTitle.sources", "@*");

Code: Select all

user pref("noscript.surrogate.stickyTitle.replacement", "var getTitle = document.__lookupGetter__("""title"""); var setTitle = document.__lookupSetter__("""title"""); document.__proto__.__defineSetter__("""title""", function() {}); document.addEventListener("""DOMContentLoaded""", function(ev) {var title = getTitle.call(document); setInterval(function() { if (title != getTitle.call(document)) setTitle.call(document, title) }, 250); }, false);");

Appears you need to double-quote the quotes (except for the first & last each of the name & value).

Wrong! That's not it either? Tried escaping them, tried double-quoting them, but neither is working?

I've got no clue

[Giorgio Maone]

As pointed out by Brian Krebs, NoScript does block this kind of attack.

http://krebsonsecurity.com/2010/05/devi ... gets-tabs/

Update, May 25, 7:55 p.m. ET: Researcher Aviv Raff has posted an interesting proof-of-concept of his own that shows how this attack can work against Firefox even when users have the Noscript add-on installed and in full paranoid mode. Raff crafted his page, which is a mock up of this blog post, to morph into an image of the Gmail login page, and it will reload every 20 seconds but will only change to the sample phish page if you move to another tab with your mouse, or after 10 reloads (in case you moved with the keyboard). So it will change only after 3 minutes or so, unless you move to another tab with your mouse.

“I was trying to find a way to work around the javascript need for the [proof-of-concept],” Raff said in an instant message. “First I was able to do this without knowing if the user moved to a new tab. Now I can almost be sure of that.”

The proof-of-concept works on my NoScript test profile with default NS settings.

Firefox Options|Advanced|Accessibility|Warn me when web sites try to redirect or reload the page


@therube:
JavaScript string literals escape double quotes by prepending a backslash. You can either do this or replace them with a single quote:

Code: Select all

user pref("noscript.surrogate.stickyTitle.replacement", "var getTitle = document.__lookupGetter__(\"title\"); var setTitle = document.__lookupSetter__(\"title\"); document.__proto__.__defineSetter__(\"title\", function() {}); document.addEventListener(\"DOMContentLoaded\", function(ev) {var title = getTitle.call(document); setInterval(function() { if (title != getTitle.call(document)) setTitle.call(document, title) }, 250); }, false);");

[Giorgio Maone]

On a side note, as I just said in a commend I dropped on Brian's blog, in next version I'll probably implement a feature to block meta refreshes which are about to happen in hidden tabs.
This will prevent Aviv's variant from working, while keeping meta refresh functionality where needed.

[Jojo999]

Firefox Options|Advanced|Accessibility|Warn me when web sites try to redirect or reload the page

This doesn't work for me. I changed the setting to WARN on, restarted FF. DID NOT get any warning when the sample page was switched to GMail overlay.

EDIT:
But what I did get is a warning when after making this post, you wanted to redirect me back to the original thread!

[therube]

JavaScript string literals escape double quotes by prepending a backslash.

Yes I tried that first, doing it just as you, preserving the quotes that shouldn't be escaped.

But ... it does not work when entered into user.js.

I tried removing the "__"

AHHH!


I KNEW there had to be a typo. And I looked & I looked & I compared & I ...

Code: Select all

user_pref(

Code: Select all

user pref(

AHHH!

(You wouldn't believe how many times I looked at it, & how many different scenarios I tried, & I KNEW it had to be a typo!)