A leading Firefox developer has discovered a new phishing attack method.
The attack, dubbed “tabnabbing” preys on browser tabs and the fact that users generally don't keep track of all the tabs they have open at one time, said Aza Raskin, creative lead for Mozilla's Firefox web browser, who discovered and publicised the technique.
In this type of phish, a user must be tricked into visiting a maliciously crafted tabbed page containing JavaScript, Raskin said. This allows the attacker to surreptitiously change the contents of a separately tabbed page, in addition to the name and logo on that tab.
When a user eventually returns to the tab, they see the spoofed page for a site, for example, Gmail or Facebook.
The attack is different from most phishing ploys, which rely on deception alone, Raskin said. This tacic relies on the “perceived immutability of tabs."
“What we don't expect is that a page we've been looking at will change behind our backs, when we aren't looking,” Raskin wrote. “That'll catch us by surprise.”
An attacker could make the phishing ruse even more cunning by creating a targeted attack that takes advantage of a user's web browsing history file, Raskin warned. In addition, instead of simply displaying a login screen on the spoofed page, an attacker could display a message that the user's session has timed out, thereby adding legitimacy to the attack.
Raskin provided a proof-of-concept of the attack, in which a bogus Gmail page is displayed.
According to researchers at Mac security vendor Intego, the proof-of-concept works on Firefox and Safari.
“For now, there's no way to indicate that the page has changed, and users should be extremely careful before logging into any webmail, bank or online commerce site page,” Intego researchers wrote in a blog post.
In addition, they said users should check the URL of a site carefully if an unexpected login screen appears.
To further protect themselves, users can consider running the NoScript add-on for Firefox, Mike Rothman of security consultancy Securosis said in a blog post. Or they can deploy a password management tool, which should not make saved logins available for use at malicious sites.
See original article on scmagazineus.com
New phishing technique exploits browser tab use
"Tabnabbing" preys on users that don't keep track of all the tabs they have open.
Got a news tip for our journalists? Share it with us anonymously here.
Partner Content
.png&h=140&w=231&c=1&s=0)
Partner Content
Ransomware targets Australian SME false sense of security
Partner Content
ElasticON Sydney 2025: Deriving value from your data with Search AI
.png&h=140&w=231&c=1&s=0)
Partner Content
Machine identity a key priority for organisations’ security strategies: CyberArk
Microsoft Copilot Partner Hub
Sponsored Whitepapers
.png&w=100&c=1&s=0)
Gaining a Competitive Advantage with Communication APIs
_page-0001.jpg&w=100&c=1&s=0)
Leverage Technologies: Industry-Tailored ERP Implementation for Growth and Compliance
.png&w=100&c=1&s=0)
Service Over Signatures: The Truth About No Lock-In IT
Wasabi Reveals Hidden Costs and Cloud Storage Shifts in ANZ for 2025
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
.png&w=120&c=1&s=0)
Tech in Gov 2025
Forrester's Technology & Innovation Summit APAC 2025
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
