This is a new variation of the "Phishing " as a technique to steal the identity of Bank customers and needs to be quickly disseminated to public at large.
"Phishing" is a well known form of identity theft employed by fraudsters to steal the log in details of victims to Bank accounts and e-mail accounts. Normally Phishers send a fake e-mail and entice victims to visit a false website and enter the log in particulars.
In what is termed as a variant of the fraud, "Tab-Nabbing" has been identified as a new type of stealing the credentials. This phishing, which persuades users to submit their login details and passwords to popular websites by impersonating those sites and convincing the user that the site is genuine. The attack was discovered and named by Aza Raskin, a security researcher and design expert.
The attack takes advantage of user trust and inattention to detail in regard to tabs, and the ability of modern web pages to rewrite tabs and their contents a long time after the page is loaded. The exploit employs script to rewrite a page of average interest with an impersonation of a well-known website, when left unattended for some time. A user who returns after a while and sees the rewritten page may be induced to believe the page is legitimate and enter their password and other details which will be used for improper purposes. The attack can be made more likely to succeed if the script checks for well known websites the user has loaded in the past or in other tabs, and loads a simulation of the same websites.
This attack can be done even if Javascript is disabled, using the refresh meta element, an HTML element used for page redirection that causes a reload of a specified new page after a given time interval.
In simpler words tab-nabbing is a method of faking the browser tabs already opened and kept inactive by the user while he browses through other tabs. For example, let us say a user has visited a Bank website and kept a tab open for the purpose. In the meantime he goes to another tab for some other work. The Tabnabbers watch such a situation and silently replace the earlier tab in which you were working on the bank account and replace it with a fake tab. When you return to this tab, you may be asked to reenter your credentials which you may assume is because you have been logged out due to lapse of time. The credentials entered may reach the fraudster resulting in the compromise of your account.
Read my articles on Secure Online Transactions here or there
Users should therefore watch the browser window each time they enter the credentials to see if it appears genuine. It is better to re enter the URL in a new window before proceeding with a transaction which was parked in an inactive tab.
2 comments:
Hi Gerard, It's a longtime. A nice informative blog.
Hi Gerard. Tab-nabbing is really an interesting article.
Post a Comment