Do you keep multiple tabs open for an extended period of time? If so, you may want to familiarize yourself with new, incredibly sneaky identity-theft tactic that surfaced recently when Mozilla’s Aza Raskin, the creative lead of Firefox, unveiled what’s become known as “tabnapping” or “tabjacking.”
The malicious code waits until you switch to view another tab. Then, when you’re not paying attention, it quietly changes its contents to resemble the Gmail log-in screen (or some other information-collecting site). Between the convincing fake page and the Gmail favicon in the tab bar, it’s likely that many will simply assume they left the tab open and were logged out. After collecting your log-in credentials, it simply forwards you to the correct page (in this case Gmail), because you were never actually logged out. The attack script can be triggered on a delay so that it will only change the page if it has not been touched for several minutes, or hours, preying on the inaccuracy of a user’s memory. It can even mine your browser history to target the sites you’re currently logged-into without special coding.
All of the major browsers on Windows and Mac OS X are vulnerable to the attack. The attack works best against Firefox, but other browsers are not completely immune. Chrome, Safari and Internet Explorer can be made to load the fake page in the background, but the favicon and text in the tab don’t always change. You can see the video of Raskin’s proof of concept in action below, or you can visit his blog here. After opening his page, switch to another tab for at least five seconds. When you return you’ll notice the favicon has changed, and a perfect copy of the Gmail log-in screen has replaced the post you were just reading.
Because most people keep multiple tabs open, often for long periods, and because they trust that the contents and label of a tab are immutable, tabnapping could become the next big thing in identity theft. This technique, more sophisticated than traditional phishing scams, leads a user to what appears to be a genuine site that delivers the content promised. The attack allows a browser tab to change from a trusted site to a malicious one while the user isn’t looking.
Here are some tips:
What should I not do? Don’t log-in on a tab that you haven’t opened yourself.
Since the tabnapping tactic banks on you trusting that you opened the tab — and that the site simply timed out — the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.
Will browser makers patch this? Unlikely. Microsoft’s Jerry Bryant, a general manager at the company’s security response center, said the issue isn’t a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that’s the way browsers work.
“Working with [Raskin’s] proof-of-concept, as written, is expected,” he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.
Can my browser protect me at all? Yes.
Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
To kidnap tabs, a hacker has to get his tab-mutating code onto your machine somehow. Raskin pointed that out by noting the likely attack vector. “Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your site as a staging ground for this kind of attack,” he wrote in his blog.
The best defense browsers can currently manage is to warn you of potential attack sites before you reach them. Filtering can assist in this process. To read more, go to http://www.switched.com/2010/05/27/tabnapping-is-a-terrifying-new-phishing-attack/
Of course, it is also important that you pay extra attention to that address bar and do not allow this new kind of phishing attack that takes advantage of unattended browser tabs.