Imagine the following scenario. You are browsing the web and have multiple open browser tabs. You need to check your emails and remember that you had the Gmail page open earlier. You quickly scan the list of tabs, looking for the familiar Gmail favicon and page title, click on it, and see the Gmail login page. Your session probably timed out, so you provide the credentials and log in. Pwned! The attacker just stole your password.
What happened? This is a new type of phishing attack that Aza Raskin describes today on his blog. Basically one of the tabs was the attacker's website that you were enticed to visit. It was a typical non-malicious looking web site (not the Gmail page). Javascript code detected that the page did not have the focus and had not been interacted with for a while. At which point it surreptitiously replaced its favicon, page title, and page content with a Gmail page look-alike. Many of even the most savvy users could fall for this trick. All it takes is a moment of forgetfulness. A moment where you forget to double-check the URL before submitting private information.
As an information security professional, I am paranoid by nature. I am glad to realize that the way I have been browsing the web for the past few years already protects me against this type of phishing attack. My paranoia finally pays off :-) I have 2 browsers. I use browser A for my general needs, and browser B only for my important authenticated sessions: my webmail, bank, broker, etc. Also, I only have one tab open at a time in browser B, and I always log off before opening another site in this tab. If I were to see a Gmail page in browser A, amongst my myriad of other tabs, it would immediately raise a red flag.
But the reason I have been browsing this way was not originally to protect me against this specific type of phishing attack. After all, I only learned about it today! I follow this strict habit in order to defend myself against CSRF vulnerabilities —one of the biggest and most overlooked class of web security vulnerabilities in my opinion. As a matter of fact, Gmail itself was vulnerable to CSRF at least 2 times in recent history (January 2007, March 2009). This is why in only have one tab open at a time in my second browser. No other site open means that no other site can perform a CSRF attack against my authenticated session. The two browsers help me make this strict procedure much less painful, as I can visit as many unauthenticated sites as I want in the other one. Of course I may sometimes visit authenticated sites in the latter, but only if I consider them unimportant, ie. if I consider it a non-issue to have my credentials stolen via CSRF.
Comments are welcome. I would love to hear ideas to make browsing more secure.