Tabnapping

Tabnapping is a new type of phishing that fraudsters are using to get people’s personal information. All major browsers that use tabbed-browsing on Windows and MAC OS X are vulnerable to the attack.

Tabnapping targets people who keep multiple tabs open in their browser, often for long periods of time. The fraudsters then use JavaScript to change the contents and label of an open, but not active, tab to resemble the log-in screen of a bank, email provider or online shopping store.

When a user clicks back onto the tab to find the fake log-in screen, they assume that they have been logged out and re-enter their user information and password to log back in. When they enter these details, the personal information provided is sent straight to the fraudsters.

The url in the browser’s address bar is not necessarily altered by tabnappers, so checking the url is the legitimate url of the service provider is not a sufficient precautionary measure.

The fraudsters may even put an additional message on the fake log-in screen, saying that the session has timed out and the user needs to re-enter their log-in details. This is a message that appears on legitimate websites, particularly on banks, increasing the likelihood that the user thinks the log-in screen is trustworthy.