Paul Sturgess

Beware the tabnapper

There’s a new kind of phishing attack around that’s ready to dupe unsuspecting web users into handing over their precious login credentials.

Firefox Creative Lead Aza Raskin has identified an attack that works first by detecting the tab that the attack is in does not have focus and has been left unused for some time.

Whilst you’re browsing elsewhere the script then makes an update to the page content to imitate a login page, such as gmail, and updates the tabs’ title and favicon.

It could even look through your browser history to ensure it’s replicating a login screen you regularly visit.

The key thing at this point is the url will not have changed, however, the attack preys on the perceived immutability of tabs. It’s not inconceivable that you would come back to the fake gmail page and just assume your session timed out.

After the user has entered the login details and they’ve been captured, they can redirected to the real Gmail page. As the user wasn’t logged out in the first place they’ll be none the wiser.

Aza Raskin demonstrates how the attack could work in this video…

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Comments: 1

Joel Montrose
commented on

But what's the solution to this new phishing attack, other than looking at each URL each time you go to a tab? Generally, when I'm checking my email, I want to go through 3 different emails as quickly as possible, and then get back to what ever I was already doing.

Any suggestions?

Thanks.

Add a comment

Note: comments are moderated before publication.

Most Popular

"DO NOT EAT" THROW AWAY

Steven Wake

I have the driest draw here at Kyan towers. You see, I am the proud owner of a Silica Gel collection. There is just something about them which compels me to not throw away the little fellas.

Get on the 'social media' bandwagon

Matt Hamm

‘Social media’ is the new buzz term. Everybody’s doing it, and why? Because it can generate masses amount of traffic to your website, which can easily turn into revenue. It’s really what ‘web 2.0’ is all about.

Is imitation really the sincerest form of flattery?

Piers Palmer

A new site has appeared on the wonderful inter-tubes, brought to us by a web design firm in Minnesota – Rocket 55 – that looks remarkably similar to ours. As designers we all stand on the shoulders of giants, borrowing ideas and concepts, using the same typefaces, co…

Web Meet Guildford, join us for a drink

Paul Sturgess

It’s been over a year now since we moved to Guildford and we’re really feeling settled in our new home on the High Street. We’ve got our artwork on the walls, an arcade machine setup and we’ve even hosted a live gig. However, one thing we haven’t done yet is meet our fellow web …