Link to us: http://snipurl.com/tabnabbing
According the SC magazine a leading Firefox developer has discovered a new phishing attack method. This new phishing attack called tabnabbing. Tabnabbing means the users generally do not keep track of all the tabs they have opened at one time on browser tabs.
Tabnabbing allow the attacker to implicitly change the contents of a separately tabbed page, name and logo when a user eventually returns to the tab such as Gmail and Facebook. In this new phishing attack, a user might to be tricked into visiting a maliciously crafted tabbed page including JavaScript. The victims may not expect is that a page they have been looking at will change behind the victims’ backs, when they are not looking. Phisher will catch them by surprise.
Besides this, an attacker could make the phishing ruse even more clever and skilful by tricking somebody that takes advantages of a user’s web browsing history file. Attacker also is able to display a message that the user’s session has timed out, thereby adding legitimacy to the attack.
Furthermore, users should check the URL of a site carefully if an unexpected login any webmail, bank or online commerce site page screen appears because there is no way to indicate that the page has changed.
Last but not least, users can consider running the NoScript add-on for Mozilla Firefox or they can deploy a password management tool, which should not make saved logins available for use at malicious sites.
References
Angela Moscaritolo, SC magazine [Online], Retrieved on 3 March 2011.
Do you hear about tabnabbing?
ReplyDeleteDo you mean they redirect you to the phishing website ? [i mean the tab that opened]
ReplyDeleteor they suddenly pop-up a new tab that to the phishing site?
Either way, normally those wont happen unless got something installed or downloaded to yours computer/browser rite ?
The user might be look quickly at a document but not very carefully their many open tabs, and the user will most likely simply think they left a tab open. When they click back to the fake site tab, they will see the standard login page, assume they have been looged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
ReplyDeleteIt is not will suddenly pop-up a new tab that to the phishing sites.
After the user has entered their login information and the phisher redirect them to the websites. They were never logged out in the first place. Tabnabbing will appear as if the login was successful.