Tabnabbing - New Phishing Technique

Scary stuff!

I've just seen a retweeted link (@tputh via @tomcavil) which I found pretty interesting:

To summarise: The user leaves page focus for a minute, and the page changes it's design to that of a well known site, complete with log in box. The site then records the user's details, and voilĂ , the user can be hacked.

I've not yet experienced this (I hope!), nor seen it in action, but I can easily see how it could fool someone. I often leave tabs open, forget I'm logged in and then have to log in again on session timeout. Thinking about it, I don't check the url when I do either.

Also, from a non phishing point of view, I think it's be interesting to change the page depending on the level of the user input. Leave focus for a minute, have a popup appear for instance. This could be especially useful on a form, warning the user of a session timeout/limit.

I might have a play with it, see if I can make anything interesting.

Want to let me know what you think of Tabnabbing - New Phishing Technique? Why not leave a comment, follow me on Twitter , or !


comments powered by Disqus