Tabnabbing – An Even More Evil Phishing Attack

Image by Flickr user 'Toasty' http://www.flickr.com/photos/toasty/1276202472/Wow – I’ve just finished reading a recent blog post by Aza Raskin (creative lead for Firefox) and he presents an interesting new phishing attack vector for us to be(a)ware of, that of ‘Tabnabbing’.

For many of us, phishing attempts, (that is – attempts by ‘evil’ sites or emails to pretend they are from legitimate sources and then dupe the user into revealing login credentials or other useful information) are fairly easy to spot. Some are stupidly obvious such as the now well known tale of the government official who needs to get large sums of money out of the country, others are less blatant and use shortened URL services or minor misspellings to trick people into clicking their links. But now, joining the ever growing list of ways to socially engineer an inattentive user into revealing useful information, is some very clever javascript which seeks to fool us when we’re not looking!

The attack is structured as follows:

  1. The attacker gets a user to browse to a staging site
  2. When the user switches focus to another tab, the staging site then changes the favicon, and the content displayed on the page to something which the user will be familiar with – in his example, Aza uses a Gmail login or ‘credentials expired’ page.
  3. When the user next scans their open tabs, they recognise the familiar tab and switch to it – believing it to be the genuine article.
  4. Because it’s an existing open tab, they implicitly trust that the domain is what it should be – and from there the credentials are captured – and the user is redirected back to the legitimate site, oblivious that they’ve been scammed.

While this in itself is a rather graceful attack, Aza goes on to explain how the effectiveness can be further increased by mining the users browser history and then displaying a page, on demand, relevant to the users past logins to services. If that’s not enough to have you scanning your browser address bar every time you switch tabs, how about adding the ability detect if the user is already logged on to that service, then redirected them, after the credential capture, to the already authenticated service.


A New Type of Phishing Attack from Aza Raskin on Vimeo.


This attack demonstrates, quite clearly, that as the browser becomes more and more the entry point into the way we access the functionality used for both professional and social interactions, it is also becoming an attack vector with a massive potential for damage and loss.

Be careful out there.

One thought on “Tabnabbing – An Even More Evil Phishing Attack”

Comments are closed.