News - Security Issues

UPDATE: Discovery of a New Type of Phishing Attack

Mozilla Firefox creative lead Aza Raskin has discovered a potential tab based phishing scheme. Phishing attacks are so common that most people are familiar with their traits. However, what if a phishing attack happened not by email or disguised link, but in a hijacked tab on your browser?

Raskin offers an example of this concept in his blog www.azarask.in . The new concept called tabnabbing or tabjacking “preys on the perceived immutability of tabs.” People do not expect an attack to come from within an already opened tab on their browser. Simply stated, this attack changes the way a web site looks while you are not looking.

Imagine you are surfing the web with many tabs open in your browser. You search for a site about a random topic navigating to a site. You open another tab to check your email, and then open another tab to read your local newspaper. While you focus your attention on the news site, the tab you opened about the random topic changes to what appears to be the login page for your email service. When you open the tab for what you think is the email service you see your email service login page. Thinking that you were mysteriously logged out of your email service you re enter you email service login information. The attacker gets your login credentials and then redirects you back to your already open email service tab lost among your browser’s open tabs. You never notice the browser based shell game.

Typically, people do not scrutinize the content of tab labels. No one suspects a recently visited page to change while it is not in use. According to Raskin, “Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.”

While there are no current reports of this attack coming in, it illustrates the ever-changing landscape of cyber attack. The example offered on Raskin’s blog does not work correctly on all browsers, but it is always possible that a determined hacker will fix the example’s current limitations.

In the case of this particular attack, awareness is the best defense. The Secure Florida team’s recommendation is that you always confirm the web address of a page used to submit log on information. If the page title on the tab does not fit the web address, do not enter your log on information. Become familiar with the methods used in phishing attacks. Likewise, we recommend that you explore browser add-ons designed to help you avoid malicious websites. 

To learn more about phishing see the Secure Florida phishing page.

You might also wish to explore Web of Trust (www.mywot.com) a useful browser add-on designed to help you determine if a site is trustworthy. 

UPDATE:
Gregg Keizer, offers a number of suggestions to lessen your chance of falling victim to "tabnabbing" in his article How to foil Web Browser 'tabnabbing' at Computerworld.com.