Immunet Blog

This week, we’re taking on phishing attacks. Phishing is basically when hackers “fish” sensitive information from their victims by tricking them into deluging their credit card number, bank account, or even social security number. During a phishing attack, it’s common for hackers to pretend to be the IRS, banks, or other trustworthy entities to convince people to give them their private data. Yes, it’s that simple. Scary right?

It gets worse. A shocking new phishing attack, often called “tabnapping,” manipulates browser tabs, in a tactic that is far more sophisticated and sly than traditional phishing attacks. The way it works, the attack replaces the contents of the tab using Javascript. Then, after you’ve switched over to another tab, the contaminated one morphs its page into the Gmail log-in screen. Switched’s Terrence O’Brien explains:

Between the convincing fake page and the Gmail favicon in the tab bar, it's likely that many will simply assume they left the tab open and were logged out. After collecting your log-in credentials, it simply forwards you to the correct page (in this case Gmail), because you were never actually logged out. The attack script can be triggered on a delay so that it will only change the page if it has not been touched for several minutes, or hours, preying on the inaccuracy of a user's memory. It can even mine your browser history to target the sites you're currently logged-into without special coding.

Firefox is most susceptible to the attack, while Internet Explorer, Chrome, and Safari, don’t always successfully deploy the malicious code. Aza Raskin, of Firefox, actually demonstrates how the sneak attack works on his blog here. Simply switch to another tab after opening the link. The fake Gmail site does seem a bit off, but perhaps we just felt that way because we were expecting it to be bogus. The unsuspecting will not be as vigilant.

So how do you stay safe? The FTC offers basic tips, like don’t respond to emails asking for personal information or pop-up messages prompting you to submit personal data; only call phone numbers on an organization’s official Web site – not numbers that you are sent via email; and of course, use antivirus software. But new techniques, like tabnapping, mean phishing attacks are becoming increasingly advanced and basic common sense will not be enough to stop them.