Tuesday, July 6, 2010

What the hell is Tabnapping?

It's one of the newer techniques employed by phishers. According to this article, a phisher can modify an open tab in your browser that is currently inactive. It works like this:

1. You log on to hotmail, gmail, or facebook, as receive what you believe to be a legitimate message with a link in it.

2. You rejoice at the fact that you can now open this link in a new tab, without having to spawn a new browser window, so you right-click (or something else for you Mac users), and select "Open in new tab."

3. The web page reads a settings telling it which site you came from; e.g. Hotmail, gmail, etc...

4. While you are browsing this web page, unaware of the fact that there is some malicious javascript on this webpage, the javascript reads the setting of which site you came from and changes the contents of your original tab, back to what looks like the login page for that site (but is actually something like http://amazon.evil.com).

5. You finish browsing, and close out your new tab, and return to what looks like your login page, and think "Oh, my session must have just timed out."

6. You log in, and kiss your account username and password goodbye.

Man those bad guys are sneaky...