Beware of Tab-Napping.. A Variant of Phishing
"Phishing" is a well known form of identity theft employed
by fraudsters to steal the log in details of victims to Bank accounts and
e-mail accounts. Normally Phishers send a fake e-mail and entice victims to
visit a false website and enter the log in particulars.
In what is termed as a variant of the fraud, "Tab-Napping"
has been identified as a new type of stealing the credentials. Internet users
need to be careful about this new type of fraud.
Tab-napping is a method of faking the browser tabs already
opened and kept inactive by the user while he browses through other tabs. For
example, let us say a user has visited a Bank website and kept a tab open for
the purpose. In the meantime he goes to another tab for some other work. The
Tabnappers watch such a situation and silently replace the earlier tab in
which you were working on the Bank account and replace it with a fake tab.
When you return to this tab, you may be asked to reenter your credentials
which you may assume is because you have been logged out due to lapse of time.
The credentials entered may reach the fraudster resulting in the compromise of
your account.
Presently we advise users to watch out for "https" on the
URL window. This would not be sufficient in cases of Tab-napping since the URL
window may be made to display the https tag even otherwise.
Users should therefore watch the browser window each time
they enter the credentials to see if it appears genuine. It is better to re
enter the URL in a new window before proceeding with a transaction which was
parked in an inactive tab.
If you are using Firefox, using "No
Script" add on may prevent this exploit.
Naavi
June 20 2010
Related Articles
http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/
http://www.malwarecity.com/news/tab-napping-a-new-online-scam-830.html
http://www.computerworld.com/s/article/9177398/How_to_foil_Web_browser_tabnapping_
Related Article:
Comments are Welcome at
naavi@vsnl.com
