A New Type Of ‘Phishing’ Attack – ‘Tab-Nabbing’

This morning, I came across an interesting and scary article about a new type of ‘phishing’ attack – ‘tab-nabbing’.  For those of you unfamiliar with the cyber lingo, ‘phishing’ is:

“The act of sending an e-mail to a user falsely claiming to be an established legitimate enterprise in an attempt to scam the user into surrendering private information that will be used for identity theft. The e-mail directs the user to visit a Web site where they are asked to update personal information, such as passwords and credit card, social security, and bank account numbers, that the legitimate organization already has…The [site], however, is bogus and set up only to steal the user’s information.”

Definition courtesy of Internet.com

A well-known example of a ‘phishing’ attack occurred when cyber-criminals sent spam emails claiming to be from EBay telling users that their account with EBay would be suspended unless they clicked a link and updated their personal information, including credit card information.  The email was, of course, a ruse designed solely to obtain the credit card information and had nothing to do with EBay at all.

Many Internet users are more savvy now, and spam email filters have improved somewhat.  However, this new type of ‘phishing’ scheme is – to quote my friend, Flavio, at Amplify.com – “scary and dangerous.”  Flavio was the individual who made me aware of this new form of ‘phishing,’ and you can read more about it from him here as well as link to a video clip describing it.

Unlike the ‘phishing’ attack described above involving Ebay, this new form of attack does not rely on its ability to deceive a user from the get-go.  In other words, the only way the Ebay scam could be successful is if the user does not detect anything fishy either about the email or when they clicked the link provided (e.g., the URL might look odd, site seems unusual, etc.)  Once a user detects these abnormalities, the scammer has failed.

‘Tab-nabbing’ works by changing the way a legit site looks behind your back.  Here’s how the scam works – You begin by logging on to the site you actually intended to visit.  You click away from that site for whatever reason; e.g., let’s say you open a new tab and visit some other site for a little while.  The ‘tab-nabber’ detects that you have navigated away for a while, and using simple computer code, changes the ‘favicon’ of the first site to something you, as a user, would be familiar with.  The example given in the article was Gmail – the red and white envelope symbol you have probably seen thousands of times by now.  When you visually scan your tabs, you see the Gmail symbol and think nothing of it.  You re-open the tab, thinking you must have left a Gmail tab open by mistake, and are then re-directed to a bogus site asking for your Gmail login information.  The site looks just like your normal Gmail login page, so you are none the wiser.  Meanwhile, the ‘tab-nabber’ has just obtained your login information and can now login to your email remotely from anywhere in the world.

Once inside your email account, the ‘tab-nabber’ can do all sorts of mischief, access private information, obtain historical information about sites you visit, your client’s information, and so on, and so on.  After reading my friend’s article, I am starting to see where some lawyers and law firms are coming from when they set blanket policies on not using email for client communications.  It remains to be seen how widespread this type of attack will be.  However, one thing is certain:  If this scam proves to be successful, then more attackers will use it, and their use will not be limited to just trying to get inside email accounts.

For those of you concerned about your office’s cyber-security, I would strongly encourage you to educate yourself further about ‘tab-nabbing.’  This is definitely something that we need to be on our guard against in order to safeguard our private information as well as our client’s.

Thanks again to Flavio over at Amplify.com for making me aware of this issue.

9 comments

  1. roofers 85234 · May 18, 2013

    It’s very trouble-free to find out any matter on net as compared to books, as I found this article at this web site.

    Like

  2. Pingback: Restaurant Bucuresti
  3. Pingback: phishing
  4. Pingback: Corey's Corner | Avoiding Scammers | Briscoe Network Solutions
  5. Dani H · June 10, 2010

    Thanks to Brett of “Moments…” for reblogging this post! I think it may have happened to me yesterday {BEFORE I read this} as Yahoo! Mail kept asking for my password. I’m going to be checking addresses EVERY time I change tabs in the future. Thanks.

    Like

  6. Pingback: A New Type Of ‘Phishing’ Attack – ‘Tab-Nabbing’ (via Cyber-Esq.) « Moments…
  7. Pingback: Tweets that mention A New Type Of ‘Phishing’ Attack – ‘Tab-Nabbing’ « Cyber-Esq. -- Topsy.com
  8. Ulf Wolf · May 25, 2010

    Great post.

    Perhaps I can just add to this that the best way to guard against being ripped off by online sales or auctions of any kind, Craigslist and eBay included—and whether seller or buyer—is to use a *bona fide* online escrow company. Especially for pricier items like antiques, jewelry and autos. Although it does add some cost, it takes the uncertainty out of the transaction, and that’s a small price to pay for peace of mind.

    For my money, the best bona fide online escrow (and there seems to be ten fraudulent escrow sites for every bona fide one) is probably Escrow.com (http://escrow.com). In fact, it’s the only one that eBay recommends, and is the only online escrow company that is licensed to provide escrow services all across the United States.

    Take care,

    Ulf Wolf

    Like

  9. Ben · May 25, 2010

    I can’t express myself enough how much eye poping I’ve earned reading this piece.
    many thanks to you folk!
    Ben

    Like

Leave a comment