|New Phishing Threat|
Wednesday, 26 May 2010 17:38
We've all come to terms with the fact that we could not possibly have won the UK Lottery (which we didn't enter) and that clicking on banking links in emails is Bad, but what about casually surfing the Internet with multiple tabs open? Unlike with other scams, there is no way the user can be blamed when one of these tabs magicly transforms into a scam that looks exactly like the page you were just visiting is there?
This horror is the new phishing reality, and it has a name: tabnabbing.
Users can fall prey to such a scam when they visit a site with a script that waits for a few minutes or hours, and then quietly changes both the content of the page and the icon and descriptor to something the user normally logs into: eg Google, Facebook, Online banking... The scam relies on the fact that the user will forget exactly what was open in which tab and enter in their details, making their account immediately vulnerable. The url in the address bar might not even change and the user may not even be aware of the scam as Firefox's Aza Raskin explains:
“When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. After the user has enter they have entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”
He provides an example and some more information here.
Experts recommend that users install some kind of script blocker (add-ons are available for most browsers) and remain aware at all times of what tabs they have open.
Add your 2Cents
Newer news items:
Older news items: