Aza Raskin, the creative lead for Firefox, has just posted about a new type of potential phishing attack, dubbed "tabnabbing." Raskin has a proof-of-concept and an explanation for how this type of attack could work.

Tabnabbing operates in reverse of most phishing attacks in that it doesn't ask users to click on a obfuscated link but instead loads a fake page in one of the open tabs in your browser.

Check out this tabnabbing scenario:

You have a bunch of open tabs in your web browser, an e-mail page, Facebook, your bank account and maybe a bunch of news sites.

While you're reading your favorite Mashable.com content, the attack is able to hone in on tabs that haven't been used or aren't in focus and replace the favicon (the icon in your tab bar) and the title of the tab.

When you click on that tab, a fake page is loaded in its place, maybe it is loaded to look like a standard login page.

Because you already had this tab open legitimately before, you don't bother paying any attention to the URL in the address bar and you enter in your login information.

You've just sent your info to a nefarious third party.

Raskin shows off how this works in this video:







Pretty scary, right? Raskin details some methods that could make this sort of attack even more insidious, including checking to see if a user is currently logged in or out of a certain site in order to better offer up a believable fake page.

How would this attack get on your system to begin with, you might ask? Plugins and add-ons are the most common way that intruders can gain access to your system. Client-side script injections by way of JavaScript, Flash, ActiveX and so on are responsible for many browser attacks. This is just one more reason to always make sure you're using an up-to-date web browser.

The Fix

Raskin's proof of concept is scary, but it isn't fool proof. This is what you can do to keep yourself safe from these and other types of attacks:

Keep your web browser up-to-date. Also make sure that plugins and extensions are up-to-date and from trusted sources.

If you're a Windows user, make sure you have anti-virus or anti-malware software on your computer

Pay attention to the address in your browser's toolbar, especially when it comes to login pages. It's easy to get into muscle-memory mode and just assume that a tab is unchanged, but for important user accounts, keep an eye on that location bar.

Consider using some sort of password management tool. Raskin points to the Firefox Account Manager as one method of using the browser for your identity manager, but plugins and tools like 1Password are good choices too. Rather than typing in user names and passwords individually, using an identity manager that compares the site you are on against the stored data in its database (making sure the addresses and DNS addresses matchup) will prevent you from entering in information into a false site.

As of right now, this is not an attack that is out in the wild — it's a proof of concept. However, tabnabbing does illustrate some of the ways that users can have information compromised by way of indirect attacks.

Update: Jerry Bryant, Group Manager, Response Communications at Microsoft provided us with the following statement:

Safety online is about defense-in-depth. Internet Explorer 8 includes world-class technologies such as the SmartScreen Filter and Domain Highlighting. These technologies, along with the Lock icon, help block the malicious pages required for this kind of attack, and highlight that such pages are not ones the user should trust.



Before entering personal information on any website, users should always check that the Lock icon is present in the address bar and that the web address of the page is one they’d expect given the service they think they are using. Domain Name helps users do this by highlighting in black the actual domain of the page they’re visiting.



Behind the scenes, the SmartScreen Filter also plays a role in combating this sort of hijacking attempt. SmartScreen successfully blocks millions of views of malicious pages each month and would help protect the user in this situation. Some stories indicated that Internet Explorer on XP was susceptible to the available Proof of Concept code released on a web page by Mozilla. Those stories are not complete. Since the site/code is not malicious, it did not trigger the SmartScreen filter which would protect these users against this PoC.



When understanding the real world risk of situations like this, it is really important to consider the defense-in-depth protections offered by Internet Explorer.

image courtesy of iStockphoto, Spannerdude