Tabnabbing: Like phishing within browser

by Larry Magid

Mozilla’s Aza Raskin is warning about a new type of phishing attack called tabnabbing.

Unlike traditional phishing attacks which trick people into clicking on links that take them to bogus sites that look legitimate, tabnabbing doesn’t require a user to click on a link. But it too can trick people into disclosing their usernames and passwords.

While you’re visiting a Web page infected with malicious tabnabbing code, a tab in the background morphs into what appears to be a legitimate site like Gmail or a banking site. To the user it looks quite familiar and since it’s not uncommon for people to have multiple tabs open at the same time, it’s easy to assume that it really is the site you want to visit. When you click on it, you’re not logged in, but that too can seem quite normal since many sites log you out automatically after a period of time. However, if you’re a tabnabbing victim and try to log in to the site, you wind up giving your log-in credentials to the tabnabber.


Aza Raskin

(Credit: Aza Raskin)


Ironically, the very security techniques that some sites use to protect users can increase the chances of falling for this scam. “For example,” said Raskin, “it can detect that you’re logged into CitiBank right now and CitiBank has been training you to log into your account every 15 minutes because it logs you out for better security. It’s like being hit by the wrong end of the sword.”

Raskin said that unlike many types of malicious software, PC security programs won’t protect users because the malicious code is running on the Web site, not on the PC. “None of those will help in this case.” He said that Firefox helps because it will “look at every page you visit and determine whether it thinks it’s a phishing scam.” Raskin said that Mozilla is looking at putting an account manager similar to LastPass into future versions of Firefox which automatically logs users in to accounts.

If you go to Raskin’ s blog post about tabnabbing, you’ll see an actual demonstration. After you’ve been on the page for a few seconds, click away to another tab and then come back to the tab with his blog post. If it works as planned you will be looking at what appears to be a Gmail log-in page. Fortunately, this is only a test–it won’t actually let you type anything.

mp3 file

“>Listen to interview with Aza Raskin (Podcast) 

Leave a comment