'Tabnapping' Is a Terrifying New Phishing Attack

The attack, dubbed "tabnapping" by Firefox creative lead Aza Raskin, uses Javascript to replace the contents of a tab and its label. The malicious code waits until you switch to view another tab. Then, when you're not paying attention, it quietly changes its contents to resemble the Gmail log-in screen (or some other information-collecting site). Between the convincing fake page and the Gmail favicon in the tab bar, it's likely that many will simply assume they left the tab open and were logged out. After collecting your log-in credentials, it simply forwards you to the correct page (in this case Gmail), because you were never actually logged out. The attack script can be triggered on a delay so that it will only change the page if it has not been touched for several minutes, or hours, preying on the inaccuracy of a user's memory. It can even mine your browser history to target the sites you're currently logged-into without special coding.
The attack works best against Firefox, but other browsers are not completely immune. Chrome, Safari and Internet Explorer can be made to load the fake page in the background, but the favicon and text in the tab don't always change. You can see the video of Raskin's proof of concept in action below, or you can visit his blog here. After opening his page, switch to another tab for at least five seconds. When you return you'll notice the favicon has changed, and a perfect copy of the Gmail log-in screen has replaced the post you were just reading. Terrifying.
This is just one more reason to pay extra attention to that address bar. [From: Aza Raskin, via: Krebs on Security]





The List #0147: Escape a Car Underwater
Visit the Maldive Islands Before It's Too Late
Reptiles Make Home in UK Man's Cable Box
Springtime Budget-Busters -- Savings Experiment
Distraught Mom Becomes Face of Oklahoma Storm
Is This Woman Too Pretty To Work?
Mariah Carey Suffers Wardrobe Malfunction on Good Morning America
The Story Behind Hairspray
Carrie Underwood Donates $1 Million to Oklahoma Tornado Victims
Watch a rocket-powered bicycle set a new land speed record















Comments
3
Subscribe to commentsRicardoApr 24th 2011 8:09PM
I use the add-on called "No script" which by default disables JavaScript on every site... I wonder if this is the solution to that particular phishing attack...
ElectricBuddhaMay 27th 2010 5:05PM
Seriously? Terrifying? Terror isn't what it used to be.
Turn down the Hyperbole and maybe I'll be able to take you seriously.
SSMay 28th 2010 12:37AM
So what are the next steps after you find out you've been targeted by such attack? Does that mean you're going to keep getting attacked?
How do you prevent it? I have No Script like someone above me mentioned, is that enough?
I don't quite understand how they're able to do this unless they're on your computer. I'd believe it's terrifying to say that there are a number of ways to have your information stolen and your computer and laptop accessories manipulated.