User Beware: A New Type of Phishing Attack – “Tabnabbing”

May 26th, 2010 By: Diane Trim in Articles, Teachers' Corner

As educators, we’re online a lot. We enter our grades and attendance online, we e-mail parents, we store our lesson plans electronically and we sometimes check our personal e-mail accounts or online bank statements. In other words, teachers aren’t so different from most people: we’ve become used to using the computer for all kinds of work and personal tasks and we wonder how we ever lived before Google, Excel, and Farmville.

Criminals are glad we feel that way. They enjoy sending us e-mail spam, and running phishing scams. Phishing (pronounced “fishing”) is a dishonest technique criminals use to trick computer users into giving out their passwords, bank account numbers, and other personal information. Phishers pose as institutions most users trust: banks, service providers like AOL, and even the IRS. Most users recognize a phishing attack and ignore it. I’m sure you know not to give your bank account numbers to a Nigerian prince who promises to split his fortune with you. If PayPal or the IRS sends you an e-mail without using your name or account number and misspells words, you know it’s a criminal phishing for your credit card number or password.

The phishers, like our digital technology, are evolving. Our school network security can alert us to suspicious sites or block them altogether. Our e-mail spam filters can catch suspicious e-mails and shady offers. However, a new kind of phishing has arrived: tabnapping.

Tabnapping. Aza Raskin wrote in his blog this week about tabnapping, which is a phishing technique that disguises your already open browser tabs to look like trustworthy sites. Here’s how it works: you have several browser tabs open and you’ve navigated away from an innocent-looking site to a different browser tab. The innocent-looking site is really a phishing site and its creators have programmed the site to recognize when you’re using another tab, but have left this innocent-looking tab open. With me so far?

While your attention is focused on CNN’s headlines or on Twitter, the phisher has poked around your CSS history and quietly changed its browser tab to a page you’d trust. The new phishing page might wear the disguise of your bank account login screen and pretend that you’ve been logged out. It could look like Gmail and invite you to login to check your messages. However, look closely. The favicon (icon next to the web address) might be that of your bank, but the URL is not. The browser tab might read Gmail, but the URL isn’t from Google. You’ve been tabnapped.

For a safe illustration of tabnapping, visit Raskin’s blog post and scroll down to the video. Watch the video and then click another browser tab. Watch Raskin’s browser tab for a few seconds and see it change to that of Gmail. Notice how the site’s heading and browser tab match Gmail’s. You might even see Gmail’s favicon. Look for the web address. It should be Raskin’s. If you click anywhere on the page, you’ll return to Raskin’s blog. He’s not phishing, he’s giving you a heads up.

What can you do? Eventually browsers and Internet security software will adapt to this new phishing technique. I plan to open a fresh browser tab every time I login to anything: the schools’ online grading software, my web-based e-mail, and my bank account. If a login screen is sitting innocently in a browser tab, I’m going to close it, even if I suspect I’d opened it earlier. Every time I log off a site like my electronic medical records or even my Facebook account, I plan to close the browser tab. It’s a pretty low-tech solution to a high-tech problem, but it’s better than giving out my school e-mail account to strangers or allowing phishers access to my bank account.

What do you think? What will you tell your students about this new online phishing tactic? How can you make sure that your information and that of your family, including your teen daughter, is protected? IT professionals: I invite you to weigh in on this topic, too!

Tags: digital, online