Mozilla warns of new phishing scam

According to Raskin, traditional phishing relies on getting users to click through on a URL and reveal their user credentials when they think they are encountering a legitimate web page.

But, he says, public awareness of traditional phishing emails is now so high that most people know not to click on links in emails appearing to come from almost any organisation.

The tab napping phishing process centres on the commonly held assumption by internet users that a tabbed web page stays the same when other internet services are being accessed.

This, says Raskin, means that if an innocuous - but fake - page changes when the user isn't looking, then when s/he returns to the tab, if they encounter, for example, a fake Gmail login page, they will simply presume they left a Gmail web page open, and log in as normal.

In a posting on the Vimeo video site, Raskin - who Infosecurity notes is human/machine interface guru Jef Raskin's son - explains how `tab napping' works and, perhaps more importantly, how users can stop themselves falling for the phishing scam.

Reporting on Raskin's assertions,  the Scam Detectives online awareness website advises that, whenever you log into a website, regardless of whether or not you have tabs open on the browser, users should check the URL - and that they are using a secure https:// address.

"If the URL doesn't look right, or there's no padlock, close the tab, open a new one and enter the URL again", said Scam Detectives editor Charles Conway.

"Better still", he adds, "make it a policy not to leave websites that require secure logins open in tabs. That way, he explained, you will know if a site that requires you to log in appears in a tab, you haven't left it there and you've been 'tabnapped.'"

"Traditional 'phishing' mails often stumble at the first hurdle by impersonating organisations or banks that you've never had dealings with, so you instantly know that if you don't bank with HSBC for example, it's a scam", he reports.

"A 'tabnapping' website will allow scammers to specifically target your account by harvesting your browser history to check that you actually visit the site it will impersonate", he noted.

What’s Hot on Infosecurity Magazine?