Tab napping -eek!

[dieseltaylor]

As a man who often has a dozen or so tabs up this is scary.

What is tab napping?

Tab napping is essentially a new kind of phishing scam. Until now phishing has involved sending hoax emails in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email.

The link actually directs you to a fake website which looks just like your bank's own website. Once you have typed in your login details they can be accessed by the criminals who set the fake site up.

But we’re beginning to wise up to phishing attacks like this, and many of us know we should be very wary of clicking URLs even if they appear to be in a legitimate email.

With awareness of phishing on the up, making it more difficult for scammers to succeed, tab napping could be the scam to watch out for next.

How does tab napping work?

Tab napping is more sophisticated than the phishing scams we’ve seen so far, and it no longer relies on persuading you to click on a dodgy link. Instead it targets internet users who open lots of tabs on their browser at the same time (for example, by pressing CTRL + T).

How does it work? By replacing an inactive browser tab with a fake page set up specifically to obtain your personal data - without you even realising it has happened.

Believe it or not, fraudsters can actually detect when a tab has been left inactive for a while, and spy on your browser history to find out which websites you regularly visit, and therefore which pages to fake.

So, don't assume that after you have opened a new tab and visited a web page, that web page will stay the same even if you don’t return to it for a time while you use other windows and tabs. Malicious code can replace the web page you opened with a fake version which looks virtually identical to the legitimate page you originally visited.

How might tab napping work in practice?

Imagine you open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes, leaving the first tab unattended. When you return to your bank’s site the login page looks exactly how you left it. What you haven’t realised is that a fake page has taken its place, so when you type in your username and password, you have inadvertently given the fraudster easy access to your account.

Donna Werbner gets your two pence on the scams you hate, and finds out how you can protect yourself and stop the scammers from stealing your cash.

Even if you have already logged into your bank account before opening another tab, when you return you might find you’re being asked to login again. This may not necessarily rouse any suspicion since you might simply assume your bank has logged you out because you left your account inactive for too long. You probably won’t even think twice before logging in for a second time. But this time round you have accidently inputted your security details into a fraudster’s fake page which have been sent back to their server.

Once you have done so, you can then be easily redirected to your bank’s genuine website since you never actually logged out in the first place, giving you the impression that all is well.

http://www.lovemoney.com/news/get-the-best-deal/scams/the-new-scam-that-secretly-steals-your-bank-details-4993.aspx

[Elmar Bijlsma]

I'm very sceptical that this is something we need to worry about. This seems very tailored attack, wheras the typical phishing attack is a mass traling through the internets.

[xor_]

I wouldn't dismiss it so easily. Here's a link to the blog post of the Firefox developer who discussed this first. It's a bit more informative than the article posted, and it has proof of concept code. You can try it out yourself. Sure you can detect the napping, but how sure are you will on a busy day?

Even better if you combine it with history stealing.

http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

(BTW, yes, it's me, had to create a new account because of BFC resetting passwords.)

[Elmar Bijlsma]

Point being that ordinary phishing merely requires an idiot with an internet connection.

While this attack is sopisticated enough that it doesn't require foolishness on the part of the user, it does put a few new demands on the attack for it to be successful.

You need to be sought out, have multiple tabs open, the tab that the attack is looking to target needs to be one of them and that shouldn't be tab being looked at at that moment.

Is this a new threat? Yes. Is this a threat you need to lose sleep over? I don't think so.

Howe could you not have gone with "xor-"?

[xor_]

Well, obviously we're talking shades of grey. But from the POV of an attacker, if you can widen your pool of potential victims from "the mouth drooling end of the IQ scale" to "pretty much anyone on a bad day", that's good news. Those aren't far-fetched assumptions about usage patterns, they're pretty standard, I would think.

Howe could you not have gone with "xor-"?

The + actually had a specific meaning a long time ago in the reverse engineering community. The choice of _ over - is merely aesthetic. And we all agree the underscore kicks the dash's ass, right?

[Michael Emrys]

And we all agree the underscore kicks the dash's ass, right?

Actually, it looks kind of weird. It's easy to overlook as just an extension of the underscore that the forum software puts under all names. But it's your nick...

[shrug]

Michael