What is Tabnapping?
New Phishing Attack Could Be Used To Steal Data
Tabnapping is a new kind of Phishing attack that switches a tab on your browser (one you’re not currently looking at) to a phishing page. The beauty of such and attack is that if it can read your history file, it can see what sites you visit and emulate a particular page. For instance, if you visit a certain bank’s page, it could send up a fake login for that bank right after you log in on to the real site. Most users will think they timed out and log back in again, giving their username and password to the phishing site without knowing it. Commonly used programs like Gmail, Hotmail, or FaceBook would also be targets for an attack, since the user is normally on another tab when the switch takes place. Reports indicate that this phishing attack works in Chrome, Firefox, and Internet Explorer, but hopefully these vendors will rush out some new fixes. In the meantime, the solution is to always verify the URL you are using, since the phishing site’s URL is going to remain different even though the rest of the page looks legitimate.
Aza Raskin discovered (and/or created) this attack and demonstrates how it works on his site. http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/ He also has a video demonstrating the phishing attack’s functionality.
Note: If you feel like you have been the victim of a phishing attack, time is of the essence. You should change your passwords (if you still can) and notify banks and other institutions if you believe that your account can be misused. In a lot of places, you have more rights if you tell the bank that you are the victim of fraud. Money can be recovered more quickly, and theft from your account can be prevented or reversed faster. Better yet, it is easier to catch the phishers when the trail is still warm.
Notes and Special Information
Special note: At the time of this writing, the attack is theoretical in nature and may be modified by the vast and creative world of hackers and information theives. Somewhere in Russia, Malaysia, Korea, or Indonesia, someone is working very hard to make this phishing method into a complex exploit.