Tabnapping: don't be scared of new phishing trick

In this week's Security Levity, I want to address the fears raised about a new phishing trick. Dubbed tabnapping, it was recently dreamed up by Mozilla's Aza Raskin. Commentators around the web are worrying about its potential. But is the sky falling? No! Let's see why...

Raskin's blog post describes the trick, using Gmail as an example:

  1. A user navigates to your normal looking site.

  2. You detect when the page has lost its focus and hasn’t been interacted with for a while.

  3. Replace the favicon with the Gmail favicon, the title with “Gmail: Email from Google”, and the page with a Gmail login look-a-like. ...

  4. The favicon and title act as a strong visual cue ... the user will ... think they left a Gmail tab open ... and provide their credentials.

Greg Keiser also adds this useful clarification:

Most people keep multiple tabs open, often for long periods. ... The tactic banks on the trust that tabs can't suddenly mutate.

Why is this any worse than the classic email phishing attack? Raskin argues that the fact that the tab changes behind your back makes it more dangerous:

If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers.

His point being that users notice that regular phishing links send them to the wrong sites. But by the time they return to an old browser tab, their guard is down. I disagree. The vast, vast majority of web users don't check the URL of the links they click or of the page they're on. Or if they do, they're easily confused by a URL that looks similar to the one they expect. The industry has proved this time and time again. With few exceptions, users aren't geeks. Despite all the advice given to them, they rarely even look for a TLS padlock icon. Even if they do, they don't know how to verify that the page is authenticated by a certificate authority that they trust.

Forget it. Expecting users to use 'geeky' ways to protect themselves is simply unrealistic.

Raskin explains all kinds of ways that the trick can be made even more devious. But none of these ideas make it any more dangerous than classic email phishing in the real world. Let's get real: the best way to protect users from phishing and other web threats is to use a web security service.

You simply prevent users from going to web pages that cause harm. Of course, the key is to use web security that's accurate, reacts quickly to new threats, and can detect unknown threats using effective heuristics.

When he's not calming echo-chamber fears, Amir Lev is the CTO, President, and co-founder of Commtouch (NASDAQ:CTCH), an e-mail and Web defense technology provider.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon