research-article

TabShots: client-side detection of tabnabbing attacks

Authors:
Philippe De Ryck

KU Leuven, Heverlee, Belgium

KU Leuven, Heverlee, Belgium
View Profile

,
Nick Nikiforakis

KU Leuven, Heverlee, Belgium

KU Leuven, Heverlee, Belgium
View Profile

,
Lieven Desmet

KU Leuven, Heverlee, Belgium

KU Leuven, Heverlee, Belgium
View Profile

,
Wouter Joosen

KU Leuven, Heverlee, Belgium

KU Leuven, Heverlee, Belgium
View Profile

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications securityMay 2013Pages 447–456https://doi.org/10.1145/2484313.2484371

Published:08 May 2013Publication History

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

Pages 447–456

ABSTRACT

As the web grows larger and larger and as the browser becomes the vehicle-of-choice for delivering many applications of daily use, the security and privacy of web users is under constant attack. Phishing is as prevalent as ever, with anti-phishing communities reporting thousands of new phishing campaigns each month. In 2010, tabnabbing, a variation of phishing, was introduced. In a tabnabbing attack, an innocuous-looking page, opened in a browser tab, disguises itself as the login page of a popular web application, when the user's focus is on a different tab. The attack exploits the trust of users for already opened pages and the user habit of long-lived browser tabs.

To combat this recent attack, we propose TabShots. TabShots is a browser extension that helps browsers and users to remember what each tab looked like, before the user changed tabs. Our system compares the appearance of each tab and highlights the parts that were changed, allowing the user to distinguish between legitimate changes and malicious masquerading. Using an experimental evaluation on the most popular sites of the Internet, we show that TabShots has no impact on 78% of these sites, and very little on another 19%. Thereby, TabShots effectively protects users against tabnabbing attacks without affecting their browsing habits and without breaking legitimate popular sites.

References

E. Adler. Tabnabbing without JavaScript . http://blog.eitanadler.com/2010/05/tabnabbing-without-javascript.html.Google Scholar
N. Agarwal, S. Renfro, and A. Bejar. Yahoo!'s Sign-in Seal and current anti-phishing solutions.Google Scholar
AOL acts to thwart hackers. http://simson.net/clips/1995/95.SJMN.AOL_Hackers.html.Google Scholar
R. Dhamija and J. D. Tygar. The battle against phishing: Dynamic security skins. In Proceedings of the 2005 symposium on Usable privacy and security, SOUPS '05, pages 77--88, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
R. Dhamija, J. D. Tygar, and M. Hearst. Why phishing works. In Proceedings of the SIGCHI conference on Human Factors in computing systems, CHI '06, pages 581--590, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
P. Dubroy. How many tabs do people use? (Now with real data!). http://dubroy.com/blog/how-many-tabs-do-people-use-now-with-real-data/.Google Scholar
S. Egelman, L. F. Cranor, and J. Hong. You've been warned: an empirical study of the effectiveness of web browser phishing warnings. In Proceedings of the SIGCHI conference on Human factors in computing systems, CHI '08, pages 1065--1074, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
D. Jang, R. Jhala, S. Lerner, and H. Shacham. An empirical study of privacy-violating information flows in JavaScript Web applications. In Proceedings of CCS 2010, pages 270--83. ACM Press, Oct. 2010. Google ScholarDigital Library
J. Leyden. Hackers break onto White House military network. http://www.theregister.co.uk/2012/10/01/white_house_hack/.Google Scholar
L. Masinter. The "data" url scheme. 1998.Google Scholar
N. Nikiforakis, A. Makridakis, E. Athanasopoulos, and E. P. Markatos. Alice, What Did You Do Last Time? Fighting Phishing Using Past Activity Tests. In Proceedings of the 3rd European Conference on Computer Network Defense (EC2ND), volume 30, pages 107--117, 2009.Google ScholarCross Ref
NoScript - JavaScript/Java/Flash blocker for a safer Firefox experience! http://noscript.net/.Google Scholar
PhishTank | Join the fight against phishing. http://www.phishtank.com.Google Scholar
A. Raskin. Tabnabbing: A new type of phishing attack. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/.Google Scholar
Safe Browsing API -- Google Developers. https://developers.google.com/safe-browsing/.Google Scholar
D. R. Sandler and D. S. Wallach. "input type="password" must die!" In Proceedings of W2SP 2008: Web 2.0 Security & Privacy 2008, Oakland, CA, May 2008.Google Scholar
SiteKey Security from Bank of America. https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/sitekey.go.Google Scholar
StatCounter. Screen resolution alert for web developers.Google Scholar
R. K. Suri, D. S. Tomar, and D. R. Sahu. An approach to perceive tabnabbing attack. In Internation Journal of Scientific & Technology Research, volume 1, 2012.Google Scholar
S. Unlu and K. Bicakci. Notabnab: Protection against the "tabnabbing attack". In eCrime Researchers Summit (eCrime), 2010, pages 1--5, oct. 2010.Google Scholar
Z. Weinberg, E. Y. Chen, P. R. Jayaraman, and C. Jackson. I still know what you visited last summer: Leaking browsing history via user interaction and side channel attacks. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP '11, pages 147--161, 2011. Google ScholarDigital Library
L. Wenyin, G. Huang, L. Xiaoyue, Z. Min, and X. Deng. Detection of phishing webpages based on visual similarity. In Special interest tracks and posters of the 14th international conference on World Wide Web, WWW '05, pages 1060--1061, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
M. Wu, R. C. Miller, and S. L. Garfinkel. Do security toolbars actually prevent phishing attacks? In Proceedings of the SIGCHI conference on Human Factors in computing systems, CHI '06, pages 601--610, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
Y. Zhang, J. I. Hong, and L. F. Cranor. Cantina: a content-based approach to detecting phishing web sites. In Proceedings of the 16th international conference on World Wide Web, WWW '07, pages 639--648, New York, NY, USA, 2007. ACM. Google ScholarDigital Library

Index Terms

TabShots: client-side detection of tabnabbing attacks

Recommendations

Security and identification indicators for browsers against spoofing and phishing attacks

In spite of the use of standard Web security measures (SSL/TLS), users enter sensitive information such as passwords into fake Web sites. Such fake sites cause substantial damages to individuals and corporations. In this work, we identify several ...
Read More
Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Read More
Parallel phishing attack recognition using software agents
Recent advancements in computer, communication and computational sciences

Internet phishing has become a continual threat that keeps growing day by day. Phishing takes advantage of the user’s trust and use social engineering techniques to deceive them. Despite having several anti-phishing strategies, the threat of phishing is ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security
May 2013
574 pages
ISBN:9781450317672
DOI:10.1145/2484313
General Chairs:
Kefei Chen
Shanghai Jiao Tong University, China
,
Qi Xie
Hangzhou Normal University, China
,
Weidong Qiu
Shanghai Jiao Tong University, China
,
Program Chairs:
Ninghui Li
Purdue University, USA
,
Wen-Guey Tzeng
National Chiao Tung University, Taiwan
Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 8 May 2013
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
client-side protection
phishing
tabnabbing
Qualifiers
- research-article
Conference

Acceptance Rates
ASIA CCS '13 Paper Acceptance Rate35of216submissions,16%Overall Acceptance Rate418of2,322submissions,18%
More
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 13
  Total Citations
  View Citations
- 260
  Total Downloads
- Downloads (Last 12 months)9
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

TabShots: client-side detection of tabnabbing attacks

ASIA CCS '13: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Security and identification indicators for browsers against spoofing and phishing attacks

Client-side cross-site scripting protection

Parallel phishing attack recognition using software agents