Paul Sturgess

Beware the tabnapper

There’s a new kind of phishing attack around that’s ready to dupe unsuspecting web users into handing over their precious login credentials.

Firefox Creative Lead Aza Raskin has identified an attack that works first by detecting the tab that the attack is in does not have focus and has been left unused for some time.

Whilst you’re browsing elsewhere the script then makes an update to the page content to imitate a login page, such as gmail, and updates the tabs’ title and favicon.

It could even look through your browser history to ensure it’s replicating a login screen you regularly visit.

The key thing at this point is the url will not have changed, however, the attack preys on the perceived immutability of tabs. It’s not inconceivable that you would come back to the fake gmail page and just assume your session timed out.

After the user has entered the login details and they’ve been captured, they can redirected to the real Gmail page. As the user wasn’t logged out in the first place they’ll be none the wiser.

Aza Raskin demonstrates how the attack could work in this video…

A New Type of Phishing Attack from Aza Raskin on Vimeo.

Comments: 1

Joel Montrose
commented on

But what's the solution to this new phishing attack, other than looking at each URL each time you go to a tab? Generally, when I'm checking my email, I want to go through 3 different emails as quickly as possible, and then get back to what ever I was already doing.

Any suggestions?

Thanks.

Add a comment

Note: comments are moderated before publication.

Most Popular

Kyan.com colophon

Robin Whittleton

Now that our new site is live, I can finally talk about development decisions we made. The site last had a makeover in mid-2008 so what we can do has moved on quite considerably, and we’ve tried to take advantage of that where possible.

Web Meet Guildford is back

Paul Sturgess

After the resounding success of the first Web Meet Guildford (WMG) we’re excited to announce that we’ll be hosting another meetup later this month. So if you make websites and you live or work in the Guildford area, please do join us in the 3 Pigeon’s pub on Guildford High Stree…

Website easter egg

Piers Palmer

We decided to have a little fun now that summer is over, combining some design yumminess and behavioural goodness. See if you are up to the challenge! Can you find the indomitable and mighty web geek PROFESSOR WAKE on our website. He’s hiding there somewhere… A littl…

Get on the 'social media' bandwagon

Matt Hamm

‘Social media’ is the new buzz term. Everybody’s doing it, and why? Because it can generate masses amount of traffic to your website, which can easily turn into revenue. It’s really what ‘web 2.0’ is all about.