Tabnapping: a new phishing attack


#1

[Permalink]


#2

I keep Gmail open as the first tab in my browser, and only that tab. I would be crazy suspicious to see a Gmail login screen appear anywhere else.


#3

Fixed: NoScript. I’m not the savviest user, but even the most L337 HaXor can’t get past the fact that, if I’m not looking at a tab, the site in the tab CAN’T run any scripts because I only turn scripting on when I’m using it, and turn scripting off when I switch to the next tab.

It also helps that with Adblock and noscript, nearly all advertising doesn’t even reach my PC. And the Unicode look-alike domains don’t get past my whitelist at all. It doesn’t matter that I have https://www.google.com whitelisted, because https://www.goοgle.com (omicron looks the same in my browser) is still blocked and not in the whitelist. Why eyeball something that’s measured accurately by the automated tool?


#4

To be clear, this is not a new attack. Aza originally disclosed it in 2010: http://en.wikipedia.org/wiki/Tabnabbing#cite_note-2


#5

This is another reason why it is bad to have tabs across the top of the screen rather than down the side. Across the top they quickly run out of room and you lose track of which tab is what. With the vogue for 16x9 screens, this problem is magnified as an annoyance by removing vertical space. Thankfully, with higher and higher res screens it’s possible to have adequate pixels of width minus a hundred fifty or so for the tab bar on the side.


#6

Me too. Pinned tab all the way to the left.


#7

“New” from 2010…


#8

Apparently the Intel folks are hard at work on biometric access points so we can dump the way-past-broken tech of username/password. And while it isn’t 100% foolproof, two factor authentication and/or a password manager will help to defeat this sort of attack.


#9

This topic was automatically closed after 5 days. New replies are no longer allowed.