Phishing attack uses tricky 'tabnapping' technique

The attack allows a browser tab to change from a trusted site to a malicious one while the user isn't looking, according to a Mozilla developer
Written by Matthew Broersma, Contributor

A Mozilla user interface specialist has published proof-of-concept code for a new phishing technique, which makes use of morphing browser tabs to trick people into giving away login information.

Traditional phishing techniques generally lead a user directly to a malicious web page that impersonates a trusted page, such as an online banking login site, which can then harvest the user's login information.

The new technique, called 'tabnapping' or 'tabjacking', demonstrated by Mozilla Firefox creative lead Aza Raskin in a blog post on Monday, leads a user to what appears to be a genuine site that delivers the content promised.

Then, if the user leaves the page open in a browser tab and clicks to another tab, the malicious tab changes itself into a replica of the trusted site. It changes the title and the icon displayed on the tab, among other things, Raskin said. In the researcher's demonstration, the page imitated is the Gmail login page.

The user then might click back onto the malicious tab, mistaking it for the trusted site, and enter login information without thinking twice, Raskin said.

To a significant extent, the attack relies on user inattention — for instance, the URL listed in the browser's address bar does not transform in the attack. The attack works on major browsers including Firefox, Internet Explorer and Google Chrome, according to the researcher. 

A phisher can use previously demonstrated techniques to discover which trusted sites the user visits frequently — such as the site of a particular bank or particular webmail services — and imitate those sites, Raskin said.

"Using my CSS history miner, you can detect which site a visitor uses and then attack that site — although this is no longer possible in Firefox betas," Raskin wrote. "For example, you can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc, and then switch the page to the appropriate login screen and favicon on demand."

He said the attack can be made more effective by changing the copy to mention that the user's session has timed out and requires reauthentication. "This happens often on bank websites, which makes them even more susceptible to this kind of attack," Raskin wrote.

Raskin's attack relies on JavaScript, and can be blocked by browser add-ons such as Noscript. However, researcher Avi Raff has published another version of the attack which he said works on Firefox even when Noscript is activated.

Phishing remains a growing danger, with malicious links spreading via email as well as social network sites such as Twitter, which in March launched a service designed to stop users from being duped by phishing links.

Editorial standards