The latest scam YOU need to be aware of: 'tabnabbing'

drupal_admin — Fri, 11 Jun 2010 01:55:00 +0000

Think ‘tabnabbing’ sounds like the latest prank involving filing supplies and the office clown? Think again. Tabnabbing (also referred to as tabnapping) is a new type of phishing attack that is sweeping the internet. Most phishing scams rely on you clicking on an imbedded link or downloading a file you find in a suspect email, sketchy website or a pop up window. Tabnabbing occurs in the background after your focus shifts away from a malicious or compromised site.

“What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise,” Said Aza Raskin, Firefox's creative lead who identified the attack. “Most people keep multiple tabs open, often for long periods.”

This attack uses JavaScript to discretely change the contents of an open but not active tab in your browser to look like the log-in screen of a bank, credit card company, popular retail site, social networking site or email provider. This page transformation only occurs after the page becomes “inactive” while a victim moves to another tab or open program. The scammers are relying on users thinking they left a login page tab open.

"When they click back to the fake tab, they'll see the standard Gmail log-in page, assume they've been logged out, and provide their credentials to log in," says Raskin.

Raskin was able to recreate “tabnabbing” on his own blog to show users what to look for. You can try it here. After clicking the link, open a new tab, or simply click away from the page for a few seconds and then go back to the original tab. While the URL hasn’t changed, the original blog content you saw only moments ago has been replaced with what appears to be a Gmail login page. In this case the Gmail login page is just an image; however, in the case of an actual tabnabbing attack the page will be a functional login form.

In an actual attack after the user enters their login information, it’s sent it back to the attacker, and then the victim redirected back to the site they think they are logging into. This often goes completely
undetected because often the victim was never logged out in the first place, and it will simply appear as if the login was successful, never realizing that they just handed over the all credentials the attacker needed to access their account.

It is even possible for attackers to detect which sites are in your history as well as what sites you are currently logged into and then customize the fake page to resemble a site you often use or are currently logged into, making this form of attack extremely effective and difficult to detect. All major browsers are susceptible to this attack.

Here’s what to watch for and how to avoid a potential tabnabbing attack and keep your identity, information, and login credentials safe:

Don't log-in on a tab that you haven't opened yourself. Since the tabnabbing tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Enable browser settings and filters that will alert you to potential attacks. For Internet Explorer (IE) use SmartScreen. In Firefox and Chrome it's called "Phishing and Malware Protection;" Safari doesn't give it a name, but offers a setting that reads, "Warn when visiting a fraudulent website" in the Security section of its Preferences settings.

Look at the URL in your browser's address bar before filing in any form or giving out any personal information and verify the URL matches the login page. If there’s a discrepancy, close the tab
immediately.

Use a password manager. Third-party browser password managers like RoboForm for Windows or 1Password for Mac link saved log-in usernames and passwords to a specific URL. When you save the username and password on the log-in page of the legitimate site, the password manager won't auto enter the username and password into a non-matching URL which should alert you to a possible tabnabbing attempt.

For more info on avoiding Tabnapping read ComputerWorld’s How to Foil Web Browser Tabnapping.

2 comments – Read/add comments

Bookmark/Search this post with:

Intelius - Raskin

The latest scam YOU need to be aware of: 'tabnabbing'