Share

Related Links

  • Scam Detectives
  • Reed Exhibitions Ltd is not responsible for the content of external websites.

Top 5 Stories

News

Mozilla warns of new phishing scam

27 May 2010

Aza Raskin, a well-known US interface design expert and creative lead on Mozilla's Firefox browser software, has revealed a new type of phishing attack known as `tab napping.'

According to Raskin, traditional phishing relies on getting users to click through on a URL and reveal their user credentials when they think they are encountering a legitimate web page.

But, he says, public awareness of traditional phishing emails is now so high that most people know not to click on links in emails appearing to come from almost any organisation.

The tab napping phishing process centres on the commonly held assumption by internet users that a tabbed web page stays the same when other internet services are being accessed.

This, says Raskin, means that if an innocuous - but fake - page changes when the user isn't looking, then when s/he returns to the tab, if they encounter, for example, a fake Gmail login page, they will simply presume they left a Gmail web page open, and log in as normal.

In a posting on the Vimeo video site, Raskin - who Infosecurity notes is human/machine interface guru Jef Raskin's son - explains how `tab napping' works and, perhaps more importantly, how users can stop themselves falling for the phishing scam.

Reporting on Raskin's assertions,  the Scam Detectives online awareness website advises that, whenever you log into a website, regardless of whether or not you have tabs open on the browser, users should check the URL - and that they are using a secure https:// address.

"If the URL doesn't look right, or there's no padlock, close the tab, open a new one and enter the URL again", said Scam Detectives editor Charles Conway.

"Better still", he adds, "make it a policy not to leave websites that require secure logins open in tabs. That way, he explained, you will know if a site that requires you to log in appears in a tab, you haven't left it there and you've been 'tabnapped.'"

"Traditional 'phishing' mails often stumble at the first hurdle by impersonating organisations or banks that you've never had dealings with, so you instantly know that if you don't bank with HSBC for example, it's a scam", he reports.

"A 'tabnapping' website will allow scammers to specifically target your account by harvesting your browser history to check that you actually visit the site it will impersonate", he noted.

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×