Another method that you can use when you conduct a social engineering attack is the Tabnabbing attack.The only thing that it requires from the user is to switch tabs in his browser in order to load the fake website and then if he inserts his credentials it harvest them.
There are not many things to explain here so we will have a look at the attack itself.
First thing we have to do of course is to open the Social Engineering Toolkit and to choose the Website Attack Vectors option.
Next we will see the available attacks that we can use.Of course our choice here is option number 4 and the Tabnabbing Attack Method.
In the next menu we will choose option number 2 in order to clone the Website of our preference.Remember that the Tabnabbing attack only works with websites that they have fields for username and password so choose these kind of websites for cloning.
Now it is time to choose the website that the SET will clone.In this scenario our choice will be the Gmail.
If we send a link with our IP address to our victim and he opens it he will notice that a new tab will open and a message will appear saying the following:
This message will stay there until the user switch tabs in his browser.Then the fake website will load and we just have to wait to enter his credentials in order to capture them.
The next image is showing what we will see in SET when the victim inserts his credentials into the username and password fields.
As most social engineering attacks and this type of attack requires to cover our IP address with a domain that it will look legitimate.This technique is similar to the Credential Harvester method with the only difference that the user needs to switch tabs thinking that the page will take too long to load.
This attack is very easy to implement it by anybody and many unexperienced users will probably become victims so these type of users they need to have extra awareness.
How to send the link to a victim.
You can spoof your email address to something that it looks real like email@example.com in order to convince the target to open the link.
Thank you, netbiosX, for this very informative demonstration.
Here is the problem ,
this is work on the same network , i mean , it local network , how can we use the victim on other network ,
Fane the Social Engineering Toolkit can be used on different networks as well.The only thing that you have to do is to set the AUTO_DETECT option to Off from the configuration file of SET.
the AUTO-DETECT is off but it seems the link don’t work from another network, I used goo.gl to generate the link. Help Pls.
When I open SET in my system, it doesn’t show the above menu. It only shows 6 options which are of update and help..