Aza Raskin, the creative lead for Firefox, has just posted about a new type of potential phishing attack, dubbed “tabnabbing.” Raskin has a proof-of-concept and an explanation for how this type of attack could work.
Tabnabbing operates in reverse of most phishing attacks in that it doesn’t ask users to click on a obfuscated link but instead loads a fake page in one of the open tabs in your browser.
Check out this tabnabbing scenario:
- You have a bunch of open tabs in your web browser, an e-mail page, Facebook, your bank account and maybe a bunch of news sites.
- While you’re reading your favorite Mashable.com content, the attack is able to hone in on tabs that haven’t been used or aren’t in focus and replace the favicon (the icon in your tab bar) and the title of the tab.
- When you click on that tab, a fake page is loaded in its place, maybe it is loaded to look like a standard login page.
- Because you already had this tab open legitimately before, you don’t bother paying any attention to the URL in the address bar and you enter in your login information.
- You’ve just sent your info to a nefarious third party.
Raskin shows off how this works in this video:
Pretty scary, right? Raskin details some methods that could make this sort of attack even more insidious, including checking to see if a user is currently logged in or out of a certain site in order to better offer up a believable fake page.
How would this attack get on your system to begin with, you might ask? Plugins and add-ons are the most common way that intruders can gain access to your system. Client-side script injections by way of JavaScript, Flash, ActiveX and so on are responsible for many browser attacks. This is just one more reason to always make sure you’re using an up-to-date web browser.
The Fix
Raskin’s proof of concept is scary, but it isn’t fool proof. This is what you can do to keep yourself safe from these types of attacks:
- Keep your web browser up-to-date. Also make sure that plugins and extensions are up-to-date and from trusted sources.
- If you’re a Windows user, make sure you have anti-virus or anti-malware software on your computer
- Pay attention to the address in your browser’s toolbar, especially when it comes to login pages. It’s easy to get into muscle-memory mode and just assume that a tab is unchanged, but for important user accounts, keep an eye on that location bar.
- Consider using some sort of password management tool. Raskin points to the Firefox Account Manager as one method of using the browser for your identity manager, but plugins and tools like 1Password are good choices too. Rather than typing in user names and passwords individually, using an identity manager that compares the site you are on against the stored data in its database (making sure the addresses and DNS addresses matchup) will prevent you from entering in information into a false site.
As of right now, this is not an attack that is out in the wild — it’s a proof of concept. However, tabnabbing does illustrate some of the ways that users can have information compromised by way of indirect attacks.
image courtesy of iStockphoto, Spannerdude
For more technology coverage, follow Mashable Tech on Twitter or become a fan on Facebook
Reviews: 1Password, Facebook, Mashable, Twitter, Windows, iStockphoto
Tags: Browsers, phishing, security, tabnabbing