Tumblr 101: Tips And Tricks To Get Started
Sebastian Thrun: Google's Driverless Car
'Tabnapping' Is a Terrifying New Phishing Attack
The attack, dubbed "tabnapping" by Firefox creative lead Aza Raskin, uses Javascript to replace the contents of a tab and its label. The malicious code waits until you switch to view another tab. Then, when you're not paying attention, it quietly changes its contents to resemble the Gmail log-in screen (or some other information-collecting site). Between the convincing fake page and the Gmail favicon in the tab bar, it's likely that many will simply assume they left the tab open and were logged out. After collecting your log-in credentials, it simply forwards you to the correct page (in this case Gmail), because you were never actually logged out. The attack script can be triggered on a delay so that it will only change the page if it has not been touched for several minutes, or hours, preying on the inaccuracy of a user's memory. It can even mine your browser history to target the sites you're currently logged-into without special coding.
The attack works best against Firefox, but other browsers are not completely immune. Chrome, Safari and Internet Explorer can be made to load the fake page in the background, but the favicon and text in the tab don't always change. You can see the video of Raskin's proof of concept in action below, or you can visit his blog here. After opening his page, switch to another tab for at least five seconds. When you return you'll notice the favicon has changed, and a perfect copy of the Gmail log-in screen has replaced the post you were just reading. Terrifying.
This is just one more reason to pay extra attention to that address bar. [From: Aza Raskin, via: Krebs on Security]
PHOTOS: Best And Worst Of Grammy Dresses
Whitney Houston Dead: Singer Dies at 48, Body Found in Beverly Hilton Hotel
LINSANITY CONTINUES
Whitney Houston Autopsy: Cause of Death Determined?
Whitney Houston, Bobbi Kristina: Late Singer's Daughter Hospitalized
Whitney Houston Dead: Stars React to Legend's Sudden Death
Grammy Red Carpet 2012 (PHOTOS)
Grammy 2012 Winners' List: Adele Sweeps Music's Biggest Night
Jennifer Hudson Whitney Tribute: Grammy President Reveals Why Singer Was Chosen for Musical Memorial
Katy Perry Grammy Performance 2012: Did the Diva Diss Her Ex-Hubby With Revealing New Song?
5-Hour Energy: A Success Equal Parts Caffeine, Chemistry and Meditation
People With Easy-To-Pronounce Names More Likely To Succeed, Study Says
Comments
3
Subscribe to commentsRicardoApr 24th 2011 8:09PM
I use the add-on called "No script" which by default disables JavaScript on every site... I wonder if this is the solution to that particular phishing attack...
ElectricBuddhaMay 27th 2010 5:05PM
Seriously? Terrifying? Terror isn't what it used to be.
Turn down the Hyperbole and maybe I'll be able to take you seriously.
SSMay 28th 2010 12:37AM
So what are the next steps after you find out you've been targeted by such attack? Does that mean you're going to keep getting attacked?
How do you prevent it? I have No Script like someone above me mentioned, is that enough?
I don't quite understand how they're able to do this unless they're on your computer. I'd believe it's terrifying to say that there are a number of ways to have your information stolen and your computer and laptop accessories manipulated.