TabNapping: A New Type of Phishing Attack
Thursday, June 17, 2010 9:26
New internet attack methods or new variations of old ones seem to be developing on a regular basis. This makes it hard to keep up with all the ways your business’ computer system can be attacked as well as adequately protecting your most vital business asset–information.
Recently, a new form of phishing attack has been developed that is called “TabNapping”. While it has a cool sounding name, there is reason to be concerned. Many businesses that use a number of websites throughout the business day keep them open in different tabs. In my experience, very few people use multiple browser windows and instead use multiple tabs. If that describes you in your business, you should understand the basics of this new form of phishing attack . If you don’t use tabs and open websites in new browser windows instead of tabs, then this form of attack should not affect you.
TabNapping basically allows the attacker to change the contents and label of an open but not active tab. For example, an attacker can take an open browser tab that is not currently being used and make it look like the amazon.com log-in screen, your webmail log-in screen, a bank or credit card log-in screen, or any other type of website that requires you to log-in. The purpose of the attacker changing the inactive browser tab to resemble such a site is to collect your log-in information such as user name and password. An attacker can then use this information to log in to your account and use or steal funds or gather other personal or business information.
TabNapping Method
Information from current researchers shows that a user must first visit a malicious or compromised website in order for the attack to be carried out. The attacker will then look for browser tabs that have not been active and use JavaScript to change the label and contents of the tab. The user or victim then scans their open tabs and sees the label for a familiar site such as Facebook and clicks on the tab. Since the attacker has changed the label and content to show that the account has timed out, the user needs to re-authenticate. The user then enters their log-in information which is sent to the attacker. From there, the attacker redirects the user to the actual page which the user was never logged out of in the first place.
The particulars of this form of phishing attack will probably evolve and change over time, but this is currently the basic elements of this type of attack. Right now the attack method does not allow the attacker to change the URL in the browser; only the browser tab’s label and content. In the future that may change, but, at this point, if you look at the URL for each tab it should show the URL for the site you are actually on. For most users this may not mean a lot since it may be hard to tell the difference between a URL for the log-in of an online bank site and the website page you are on while you are actually logged into the online bank website. Also, in order to be attacked, you must visit a website that has been compromised. In the future this form of attack may only require allowing JavaScript, which is almost essential if you are going to use the web these days.
Reducing the Risks of TabNapping
TabNapping affects all major browsers for Windows and Mac, but I also recently tested the Firefox browser using Linux, and this form of attack was successful; therefore, it is a browser issue and not an operating system issue.
Since the attacker must first infect your computer with malicious code, use web filtering or other methods that warn users of malicious sites. If your computer does not visit one of these sites and does not become infected, then at this point all is good.
Do not trust an inactive tab that is asking you to log-in if you have not actually opened the site yourself. In this case, retype the URL for the site or click on your bookmark for the site to actually take you to the website. If you were never logged out of the site, the tab will usually open in the site without logging back in.
Another way to reduce the risk of the attack is to look at the URL when you click on the tab. The URL should not match the fake log-in screen or tab. Most users do not do this. They trust what the tab label says which is what this type of attack is banking on. If you look at the URL and it does not match up or you’re not sure, go back and type in the correct URL or use your bookmarks to go back to the site instead of using the current log-in screen in the browser tab. Be aware, though, that determining if the URL is correct for the site is not always an easy task for most users.
Script blocking add-ons for the Firefox browser such as NoScript may help prevent this type of attack although recently other research has shown that the NoScript add-on can be circumvented. Also, the use of password managers may help because if you saved the log-in information while at the real website, the password manager will not enter the user name and password for you when the URL does not match.
While there are no bulletproof answers at this point, you can reduce the risk of this type of phishing attack. As always, the only way to eliminate risk is to not be in business at all, and what fun is that!
Related posts: