Linda posted on June 04, 2010 11:30
Earlier this week, I came across a new term in a newsletter about computer security. The article is about 'tabnabbing', a new phishing technique that has recently surfaced.
This technique is employed on tabs in your browser that are not currently active. While you are busy in another tab or another application, the attack runs a java script that changes the inactive page to something that is not what it appears to be. For example, if you have a tab open in Gmail, the page may be changed to a page that looks like the Gmail login page, even though you were already logged in. When you return to the page, you will simply assume that you have been logged out due to inactivity and log back in.
Unfortunately, the page is not the real login page and you have just given your email username and password to the criminals. And with that, it is quite likely that the criminal can determine what protected websites you use, say for banking, and request that your password be reset, leading to things much worse than hijacked email.
This is a bit different from previous types of phishing attacks in that it doesn't rely on tricking the user into entering credentials on a bogus site. It simply changes the web page while you are distracted doing other things and you have no reason to suspect that there is anything evil going on when you return. You expect that you are returning to the same page you left - and until tabnabbing was discovered, you were absolutely correct.
You can read the article I ran across here for a more in depth discussion of this technique. You can also go to this blog post from Aza Raskin who introduced the term for another explanation and see just how this attack works. If you open another window over the top of his post, without completely covering it, you should be able to see when it changes.
I don't know about you, but from now on if I appear to have been logged out due to inactivity, I will close the page and then navigate back to it myself!