Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Scripps Employees Called 'Hackers' For Exposing Massive Security Flaw
'Tabnapping' Is a Terrifying New Phishing Attack
The attack, dubbed "tabnapping" by Firefox creative lead Aza Raskin, uses Javascript to replace the contents of a tab and its label. The malicious code waits until you switch to view another tab. Then, when you're not paying attention, it quietly changes its contents to resemble the Gmail log-in screen (or some other information-collecting site). Between the convincing fake page and the Gmail favicon in the tab bar, it's likely that many will simply assume they left the tab open and were logged out. After collecting your log-in credentials, it simply forwards you to the correct page (in this case Gmail), because you were never actually logged out. The attack script can be triggered on a delay so that it will only change the page if it has not been touched for several minutes, or hours, preying on the inaccuracy of a user's memory. It can even mine your browser history to target the sites you're currently logged-into without special coding.
The attack works best against Firefox, but other browsers are not completely immune. Chrome, Safari and Internet Explorer can be made to load the fake page in the background, but the favicon and text in the tab don't always change. You can see the video of Raskin's proof of concept in action below, or you can visit his blog here. After opening his page, switch to another tab for at least five seconds. When you return you'll notice the favicon has changed, and a perfect copy of the Gmail log-in screen has replaced the post you were just reading. Terrifying.
This is just one more reason to pay extra attention to that address bar. [From: Aza Raskin, via: Krebs on Security]
That's An Interesting Look, Madge
The List #0147: Escape a Car Underwater
16 Pasta Dishes Worse Than Yours
Visit the Maldive Islands Before It's Too Late
Reptiles Make Home in UK Man's Cable Box
Charlie Sheen Gets Back To His Roots
Springtime Budget-Busters -- Savings Experiment
Distraught Mom Becomes Face of Oklahoma Storm
WHOOPS! Obama Makes Big Gaffe
Is This Woman Too Pretty To Work?
Mariah Carey Suffers Wardrobe Malfunction on Good Morning America
Ryan Gosling Almost Didn't Star In His Signature Movie
The Story Behind Hairspray
Carrie Underwood Donates $1 Million to Oklahoma Tornado Victims
Mariah Carey Curses And Busts Out Of Dress On Live TV
Watch a rocket-powered bicycle set a new land speed record
Candid Portraits Of Strippers After Hours
Teens' Plot To Murder Classmate Shocks Town
Amanda Bynes Speaks Out After Arrest
Abercrombie Announces Plummeting Sales Amid Controversy
Killed Soldier In London Attack Identified
AMAZING PHOTO: UFO Spotted Over San Diego
LOOK: This Is The Perfect Job Application
Joe Arpaio Violated Latinos' Rights, Judge Rules
Fox News Host's Outrageous Comment
Luke Wilson Caught Staring At Fan's Chest
What It's Like To Talk To A 2-Year-Old
Jennifer Aniston And Brad Pitt Are ... Friends?
PHOTO: Amanda Bynes' Mugshot Revealed
Rapper Accused Of Faking His Own Death To Escape Payments
Jodi Arias Jury DEADLOCKED
Teenager's 'Awww'-Inspiring Drawing Wins Big At Google
Comments
3
Subscribe to commentsRicardoApr 24th 2011 8:09PM
I use the add-on called "No script" which by default disables JavaScript on every site... I wonder if this is the solution to that particular phishing attack...
ElectricBuddhaMay 27th 2010 5:05PM
Seriously? Terrifying? Terror isn't what it used to be.
Turn down the Hyperbole and maybe I'll be able to take you seriously.
SSMay 28th 2010 12:37AM
So what are the next steps after you find out you've been targeted by such attack? Does that mean you're going to keep getting attacked?
How do you prevent it? I have No Script like someone above me mentioned, is that enough?
I don't quite understand how they're able to do this unless they're on your computer. I'd believe it's terrifying to say that there are a number of ways to have your information stolen and your computer and laptop accessories manipulated.