Tabs caught napping

A new attack technique takes advantage of open browser tabs to launch phishing sites without the user's knowledge. The attack can be carried out in Firefox, Internet Explorer and other major browsers.

The attack, dubbed tabnapping, was uncovered by Aza Raskin, creative lead for Mozilla Firefox, and affects all the major browsers on Windows and Mac OS X. Raskin's proof-of-concept attack takes advantage of users who keep multiple tabs open. If the user visits a malicious site or one that has been compromised, the attacker can silently change the contents and label of an open, inactive tab to resemble the log-in screen of another site, such as Gmail. Raskin demonstrated the attack on his blog.

Jerry Bryant, group manager for security response communications at Microsoft, said users should always check to make sure the Lock icon is present in the address bar before entering personal information on any website, and check that the URL of the site is correct. Internet Explorer 8's SmartScreen filter, which offers some protection against suspected and known phishing sites, can help mitigate the attack, he added.

Raskin indicated the Firefox Account Manager Mozilla is working on for the next version of the browser mitigates the attack.

Source: eWeek.