TabJack
Implementation of an interesting Tab-Jacking / Tab-Nabbing phishing attack
Blog post by @aza (archived version, post was deleted):
https://web.archive.org/web/20191121174508/http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
Live Version:
https://nulldev.github.io/TabJack/
What happens:
- You open up a normal looking website.
- The script detects when the tab has lost focus and hasnt been interacted with for a while.
- Replace all content with a real looking phishing site.
- As the victim scans their many open tabs, the favicon and title will lead them to think they left a Gmail tab open.
- When they click back to the fake Gmail tab, theyll see the standard Gmail login page, assume theyve been logged out, and provide their credentials to log in.
- After the victim entered all details, redirect them to Gmail Because they were never logged out. It will appears as if the login was successful.
Disclaimer: This is solely for education purpose only. It is just a PoC (= Proof of Concept).