Beware Tab Napping is a new phishing technique




Concept of phishing and Tab napping :
In previous times hackers used to create fake login pages of many popular sites and hosted that pages to any hosting sites such as t35,110mb and also 000webhost. Then the thing was to spread the link and to send that link to the victim Via email spoofing or something else. But with the updated browsers and more security along with education from websites like hackersthirst, hackernews etc. But in May 2010 , A mozilla employee outlined a sly new attack tactic dubbed "tabnapping" that can dupe users into giving up passwords by secretly changing already-open browser tabs.

Yes that is possible that one can change the already opened tabs in any browser by using a small script. The is that people browse now a days by using tabbed browsers and sometimes the open ( Me too) a lot of tabs and then forget to go to others tab or often they don't find time to do so. We may call it as an idle tab, So fortunately or unfortunately we can redirect that idle tab to any phishing page. So that is a basic concept of Tab napping. 

Here, We are showing a tutorial that how hackers make it possible :
Almost all the tabbed browsers are vulnerable to this attack.
Note: All the short description shown is for educational purpose.
First of all hackers may need a free hosting also for this purpose. Now they must have a basic knowledge of creating html ( For learning html go to www.w3schools.com) pages or if you don't have then don't worry. They may select  a hot news page or any headline or else a popular page. They make a duplicate of it. So, We may call it page A. This is the front-page for the hacker to exploit the trust of the visitor. Now, they use a tab napping exploit and insert that in page A

The page B is the phishing page to which they change the page A :
They will have to create a B page (that is the phishing page { Phishing explained for newbies for education}) and they should insert the page B in page A. They have to send the page A link to the victim and when he opens it. He may open other tabs and when this tab of page A will become idle the victim will be redirected to your phishing page.

Basic scheme and concept :
 
They have to replace above highlighted portions to their own phishing page url. Page A upon becoming idle will redirect to page B (the phishing page). So, thats the trick that hackers use.

Note: Always make sure while using the tab that you are onto original website.


How to prevent tab napping :
  1. While using tabbed browsing and going to other tabs do look at the url shown above. Or else you will login to a facebook or orkut etc phishing page and you will login thinking that you have opened it.
  2. Use latest Nod 32 personal security version. You may search this blog to get it for free.
  3. JavaScript is used by many websites for the different purposes if you disable it than you can avoid to infect by tab-napping. But it is not legitimate solution to do this.
  4. The best technique to protect your self from tab-napping is to use a script called NoScript, It is a free add-in for Firefox browser.