And that too was probably bogus. You saw what appeared to be, but did you check the URL line?EDIT:
But what I did get is a warning when after making this post, you wanted to redirect me back to the original thread!
A New Type of Phishing Attack
Re: A New Type of Phishing Attack
The <META> redirection block only happens at certain points & I kind of jumped in the middle instead of starting at the beginning & so I'm not clear if it helped in all circumstances.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4
Re: A New Type of Phishing Attack
I'd love to see a block meta refresh function in NoScript. Firefox's option to warn you when a meta refresh works okay, but I'd like the ability to whitelist pages I want to allow meta refresh on (such as news sites like CNN) and by default not allow non-whitelisted sites not to meta refresh.Giorgio Maone wrote:On a side note, as I just said in a commend I dropped on Brian's blog, in next version I'll probably implement a feature to block meta refreshes which are about to happen in hidden tabs.
This will prevent Aviv's variant from working, while keeping meta refresh functionality where needed.
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: A New Type of Phishing Attack
Now that SeaMonkey is able to work with accessibility.blockautorefresh, & once I enabled it, that was my immediate thought.I'd like the ability to whitelist pages
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100525 SeaMonkey/2.1a2pre
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: A New Type of Phishing Attack
Please check 1.9.9.81
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: A New Type of Phishing Attack
Thanks, Giorgio, for your great work!Giorgio Maone wrote:Please check 1.9.9.81
Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.9.2.5pre) Gecko/20100527 Linux Mint/9 (Isadora) Namoroka/3.6.5pre
Re: A New Type of Phishing Attack
Too confusing for me. I'm not sure what I'm suppose to see or not see?
Setting noscript.forbidBGRefresh to 3, don't know that I'm seeing anything different?
But then ... I'm not sure what I'm suppose to see or not see?
Suppose this is nothing?
Setting noscript.forbidBGRefresh to 3, don't know that I'm seeing anything different?
But then ... I'm not sure what I'm suppose to see or not see?
Suppose this is nothing?
Code: Select all
Error: Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIPrefBranch.getBoolPref]
Source file: chrome://noscript/content/Main.js
Line: 3947
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: A New Type of Phishing Attack
Currently nothing on SeaMonkey. I'm checking if I can stuff something for SM in 81 itself before it goes AMO.therube wrote: But then ... I'm not sure what I'm suppose to see or not see?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: A New Type of Phishing Attack
@therube:
please retry installing in SeaMonkey now. You won't get the allowable notification you get in Firefox, but the attack should fail and the blockage should be logged in the Error Console.
please retry installing in SeaMonkey now. You won't get the allowable notification you get in Firefox, but the attack should fail and the blockage should be logged in the Error Console.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: A New Type of Phishing Attack
Thank you Giorgio for the quick update
On the proof of concept page, I still get the gmail image after moving away from tab, and a reload. Interestingly, another reload brings the original page back!
Being that the initial warning/block in the latest version of NoScript appears to work, it's definitely cool, and helpful.
Just wanted to pop in and share my experience w/the latest update regarding this latest threat.
Thanks for making an awesome program, all the updates, and all your efforts!
On the proof of concept page, I still get the gmail image after moving away from tab, and a reload. Interestingly, another reload brings the original page back!
Being that the initial warning/block in the latest version of NoScript appears to work, it's definitely cool, and helpful.
Just wanted to pop in and share my experience w/the latest update regarding this latest threat.
Thanks for making an awesome program, all the updates, and all your efforts!
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: A New Type of Phishing Attack
You mean a manual reload (under your control), right?technerd wrote:Thank you Giorgio for the quick update
On the proof of concept page, I still get the gmail image after moving away from tab, and a reload.
That's normal because of the way the scriptless page works: it uses CSS to detect whether you're looking at the page or not, and when you're not looking anymore it "takes note" that next refresh must be GMail-like.
NoScript blocks the automatic refresh, but if you do it manually you get the expected GMail page.
Yes, because once the GMail trap has been shown, the "note" gets reset, allowing you to try the PoC ad infinitum.technerd wrote: Interestingly, another reload brings the original page back!
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: A New Type of Phishing Attack
Let me see if I'm getting this a bit better ...
krebs page: http://krebsonsecurity.com/2010/05/devi ... gets-tabs/
krebs link to aviv's page: http://avivraff.com/research/phish/arti ... ?854817837
blocking JavaScript, or not, is immaterial because JavaScript is not being used
clicking on the link to aviv's page loads the exploit page
at that point, if Forbid META redirections inside <NOSCRIPT> elements is enabled, exploit thwarted
manually reloading the page will expose "Google" (& then rotate to & fro, every so often) [expected]
disable META redirections blocking, but enable noscript.forbidBGRefresh & again, exploit thwarted
still, manually reloading the page will expose "Google" (& then rotate to & fro, every so often) [expected]
krebs page: http://krebsonsecurity.com/2010/05/devi ... gets-tabs/
krebs link to aviv's page: http://avivraff.com/research/phish/arti ... ?854817837
blocking JavaScript, or not, is immaterial because JavaScript is not being used
clicking on the link to aviv's page loads the exploit page
at that point, if Forbid META redirections inside <NOSCRIPT> elements is enabled, exploit thwarted
manually reloading the page will expose "Google" (& then rotate to & fro, every so often) [expected]
disable META redirections blocking, but enable noscript.forbidBGRefresh & again, exploit thwarted
Code: Select all
[NoScript] Blocking refresh on unfocused tab, http://avivraff.com/research/phish/article.php?854817837->http://avivraff.com/research/phish/article.php?1681419702
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.19) Gecko/20110420 SeaMonkey/2.0.14 Pinball NoScript FlashGot AdblockPlus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 SeaMonkey/2.0.4
- Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: A New Type of Phishing Attack
@therube:
you got it perfectly right.
More, if you're on Firefox with the forbidBGRefresh option set to 1, you also get a notification identical to Firefox's own accessibility refresh blocking one, with a button to work-around it.
you got it perfectly right.
More, if you're on Firefox with the forbidBGRefresh option set to 1, you also get a notification identical to Firefox's own accessibility refresh blocking one, with a button to work-around it.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
- GµårÐïåñ
- Lieutenant Colonel
- Posts: 3365
- Joined: Fri Mar 20, 2009 5:19 am
- Location: PST - USA
- Contact:
Re: A New Type of Phishing Attack
I can verify that the current and all previous attempts at doing this are successfully blocked by NoScript and short of someone manually refreshing a tab only to continue using what they were doing, seems unlikely and if so, then so be it for their lack of attention.
~.:[ Lï£ê ï§ å Lêmðñ åñÐ Ì Wåñ† M¥ Mðñê¥ ßå¢k ]:.~
________________ .: [ Major Mike's ] :. ________________
________________ .: [ Major Mike's ] :. ________________
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3
Re: A New Type of Phishing Attack
I'm lost and don't understand what I am supposed to set/enable to block this problem in 1.9.9.81.
Can anyone lay out required changes in a straightforward manner? Thanks.
Can anyone lay out required changes in a straightforward manner? Thanks.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 FlyPaper/RC1 (.NET CLR 3.5.30729)
Re: A New Type of Phishing Attack
I don't see any difference between 1.9.9.80 and 1.9.9.81
If I open http://www.azarask.in/blog/post/a-new-t ... ng-attack/ in a tab and don't allow scripts to run, when I switch to another tab nothing happens (using both .80 & .81).
If I allow scripts to run on the site and switch to another tab then the tab changes to gmail as described (using both .80 & .81).
Is this the expected behavior?
If I open http://www.azarask.in/blog/post/a-new-t ... ng-attack/ in a tab and don't allow scripts to run, when I switch to another tab nothing happens (using both .80 & .81).
If I allow scripts to run on the site and switch to another tab then the tab changes to gmail as described (using both .80 & .81).
Is this the expected behavior?
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3