Legal Disclaimer

Hacking For Beginners – Manthan Desai 2010
10. Tab Napping A New Phishing Attack
Traditional phishing attacks are reasonably easy to avoid, just don’t click links in suspicious e-mails (or, for the really
paranoid, any e-mail). But Firefox Creative Lead Aza Raskin has found a far more devious way to launch an attack by
hijacking your unattended browser tabs.
The attack works by first detecting that the tab the page is in does not have focus. Then the attacking script can change
the tab favicon and title before loading a new site, say a fake version of gmail or orkut, in the background.
Even scarier, the attack can parse through your history to find sites you actually visit and impersonate them.
Because most of us trust our tabs to remain on the page we left them on, this is a particularly difficult attack to detect. As
Raskin writes, "as the user scans their many open tabs, the favicon and title act as a strong visual cue — memory is
mailable and moldable and the user will most likely simply think they left *the+ tab open.”
The only clue that you’re being tricked is that the URL will be wrong.
The Script Used is as Below.-
open this in a tab of your browser and wait for 10 seconds and see after you come back but leave this page and go
to other tab to see this magic.
var xScroll, yScroll, timerPoll, timerRedirect, timerClock;
function initRedirect(){
if (typeof document.body.scrollTop != "undefined"){ //IE,NS7,Moz
xScroll = document.body.scrollLeft;
yScroll = document.body.scrollTop;
clearInterval(timerPoll); //stop polling scroll move
clearInterval(timerRedirect); //stop timed redirect
w w w . h a c k i n g t e c h . c o . t v Page 110