I am sure, most of the people on the internet would have come across the term Phishing by now and a considerable percentage of them understand that the phishing usually takes place via eMail and Instant messaging services. The modus-operandi of these phishing attacks have been to entice the users to click on a link sent via eMails or IMs or social networking sites.

Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site.

Aza Raskin’s latest PoC (proof of concept) brings into light a brand new form of phishing – called Tabjacking.

What is Tabjacking?

Tabjacking (or Tabnabbing) is a new ingenious phishing attack. It basically refers to a website that is changing its look and feels to a fake website after some time of inactivity. It is about a page we’ve been looking at, but will change behind our backs, when we aren’t looking.

Aza demonstrates this right on his website. Just visit his blog post on Firefox (or Chrome). Now, change tabs, wait five seconds, and then watch in horror as his site seemingly becomes GMail.


How Tabjacking works?

A user navigates to a normal looking website. A custom code detects when the page has lost its focus and hasn’t been interacted with for a while. The favicon gets replaced with that of GMail (or any other website), while the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. This can all be done with just a little bit of Javascript that takes place instantly.

As the user scans their many open tabs, the favicon and title can easily fool the user to simply think he left a Gmail tab open. When he clicks back to the fake Gmail tab, he’ll see the standard Gmail login page, assume he has been logged out, and provide his credentials to log in. The attack preys on the perceived immutability of tabs.

After the user has entered their login information and you’ve sent it back to your server, you redirect him to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.

Tabnabbing can get really bad when it is combined with things like CSS history miner using which one can detect which site a visitor uses and then attack that site. For example, one can detect if a visitor is a Facebook user, Citibank user, Twitter user, etc., and then switch the page to the appropriate login screen and favicon on demand.

Ofcourse, you can be safe from Tabnabbing if you always look at the address bar before keying in your password. As Aza says, it’s high time we move to browser-based authentication solutions like the Firefox Account Manager.


Was this article helpful?