“User Interface specialist and creative lead on Mozilla’s Firefox browser Aza Raskin has outlined a brand new variant on ‘phishing’ attacks which he has christened ‘tabnapping.’ Traditionally, phishing has relied upon convincing users to click on a link in an email to take them to a fake website such as their bank, credit card issuer or email account. Once the user logs into the fake site, their details are transmitted to the fraudster and the account is immediately compromised. Public awareness of phishing emails is now relatively high and most people know not to click on links in emails appearing to come from such organizations. Tabnapping relies on the user believing that it is impossible for the content of a tab to change while you’re not looking. You may click on a link in Twitter, Facebook, or a ‘sponsored link’ in Google which will load a genuine webpage that delivers the content it promises. If you then click away from that site, leaving it open in a tab whilst viewing another website, the content of the original tab will change to a fake log-in page impersonating one of the websites you visit most often…”
Here is some more Tech News from around the web:
- The Seven-Atom-Long Transistor That Will Change the World @ Gizmodo
- MSI will release a Slate in the US and EU @ The Inquirer
- Computex will bring Android + ARM tablets, but are they ready? @ Ars Technica
- Top 10 Predictions for Computex 2010 @ TechwareLabs
Keep your eye on the tab, it may go phishing when your back is turned
With a good set of eyes and a familiarity with the websites you visit most redirects are fairly obvious and enough to rouse your suspicions enough to double check the URL; but what if the switch happens after that tab loses focus? A new phishing technique waits until you switch tabs and reloads one of your background tabs with a nice login page of one of the sites you often log into, courtesy of the CSS history vulnerability. When you click back to that page it will have a proper title, favicon and quite possibly an URL that matches as well. Click through the links on Slashdot to learn more about tabnapping and how to defend yourself.