July 12, 2010

Just when it seemed as though the various types of phishing attacks had been identified - up pops another that is even more sophisticated. Most commonly known as "tabnabbing," it is also called "tabnapping" or kidnapping of Internet tabs.

Phishing scams typically involve sending hoax emails to your computer in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email. The link directs you to a fake website which looks like your bank's website. Once you have typed in your login details, the criminals who set up the fake site have access to your information.

How it works

Tabnabbing does not rely on persuading you to click on a fake link. It targets Internet users who open lots of tabs on their browser at the same time and changes the way a legitimate site looks behind your back.

An inactive browser tab is replaced with a fake page set up specifically to obtain your personal data -- without you even realizing it has happened. Scammers can actually detect when a tab has been left inactive for a while and spy on your browser history to find out which websites you regularly visit so they know which pages to fake.

Here is an example: You open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes. This has left the original tab unattended during this time. When you return to your bank's website, the login page looks exactly how you left it, but it is again requesting that you login. This is reasonable because you just assume that you have timed out on your original login.

What you don't realize is that a fake page was substituted and when you re-enter your username and password it is not for the official bank login but for the con artist. Once you re-enter your login information, you will be redirected to your bank's website since you never actually logged out in the first place, giving you the impression that all is well. Meanwhile, the con artist has just obtained your login information and can now login to your account without your knowledge.

Beating the scammer

Tabnabbing should be fairly easy to avoid as long as you are careful. North Dakota Attorney General Wayne Stenehjem offers five tips for protecting yourself:

• 1. Make sure you always check to be sure the URL in the browser address page is correct before you enter any login details. A fake tabbed page will have a different URL than the website you think you are using.

• 2. Always check to make certain the URL has a secure https:// address even if you don't have tabs open on the browser.

• 3. If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again.

• 4. Avoid leaving open tabs that require you to type in secure login details. Don't open any tabs while doing online banking. Open new windows instead.

• 5. Don't log in on a tab that you have not opened yourself.

While this type of attack on your computer could potentially be devastating, it is relatively simple to keep yourself safe online. Follow the steps outlined above and if you question a URL, close out of the site and start over again. Or simply do not leave tabs open on the Internet.