A new, incredibly sneaky identity-theft tactic surfaced earlier this week when Mozilla’s Aza Raskin, the creative lead of Firefox, unveiled what’s become known as “tabnapping” that can dupe users into giving up passwords by secretly changing already-open browser tabs. It is a tabnapping browser phishing scam.
Stated simply, tabnapping — from the combination of “tab” and “kidnapping” — could be used by clever phishers and all of the major browsers on Windows and Mac OS X are vulnerable to the attack.
Because most people keep multiple tabs open, often for long periods, and because they trust that the contents and label of a tab are absolutely what they say they are, tabnapping could become the next big thing in identity theft.
That open tab labeled “Citibank” or “Facebook” may not be the real deals, Raskin argued. But you may not know that…, so you enter your username and password to log in again and Boom! You’re phished!
Tabnapping isn’t in active circulation at the moment, but the ease with which another researcher was able to sidestep a noted Firefox add-on designed to prevent such trickery doesn’t bode well for the future.
What can you do if tabnapping shows its face? We have a few answers.
What should I not do? Don’t log-in on a tab that you haven’t opened yourself. Since the tabnapping tactic banks on you trusting that you opened the tab — and that the site simply timed out — the best defense is don’t log-in. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, and then head to the site yourself in a new tab.
Anything else I can do while I use my browser to confuse tabnapping? Yes, there is. Look at the URL in your browser’s address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to “spoof,” or fake the URL, it won’t match the bogus log-in screen. That’s your cue to close the tab immediately.