Tabnapping: New Security Threat

Network World reported that all the major web browsers on Windows and Mac OS X are vulnerable to a new type of phishing scam: “tabnapping.” A combination of the words kidnapping and tab as in screen tabs, tabnapping happens when an already open tab is secretly switched unbeknownst to the user. As an example, when I work I typically have several Internet Explorer (IE) tabs open. Say one of them was to my bank and I left that tab and went to my email account, when I go back to my bank page it says the page timed out so I have to log-in again. But what could happen is someone switched the page and I am actually logging-in to a page that diverts my identity log-in to a scammer.


Here are some things you can do to avoid being tabnapped:

  • Don’t log-in on a tab that you haven’t opened yourself. If you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab
  • Get on the latest release of your web browser. Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.
  • Look at the URL in your browser’s address bar before filing in any form or giving out any personal information. Unless the attackers are particularly clever and able to exploit a vulnerability or flaw to “spoof,” or fake the URL, it won’t match the bogus log-in screen. That’s your cue to close the tab immediately.