Video Screencast Help
Symantec Secure Login will be live on Connect starting February 25. Get the details here.

New Online Phishing Scam Which Uses 'Tab Napping' To Attack Your Computer ...

Created: 20 Feb 2012 • Updated: 21 Feb 2012 | 9 comments
Language Translations
P4Amdik19's picture
+11 11 Votes
Login to vote


As internet users we’re all vulnerable to online scams ,a new Exploit known as ‘tab napping which takes phishing one step further..Tab napping is the new type of phising spam.Until now phishing has involved sending mails in attempt to steal your username & passwords.And attacker will clem to be from your bank and he will force you to click on the link.It will redirect to you on fake website.

Tab napping is more sophisticated than the phishing scams .and it no longer relies on you to click on a link .Instead it targets internet users who open lots of tabs on their browser at the same time

How it Work :--

It replace an inactive browser tab with a fake page to obtain your personal data without you even realising it has happened .don't assume that after you have opened a new tab and visited a web page, that web page will stay the same even if you don’t return to it for a time while you use other windows and tabs. Malicious code can replace the web page .

Pevention Mechanism :--

Here are five simple ways you can prevent yourself ,

  1. You have to check your URL in the browser always Before providing login credencial on the sites .

  2. Always check the URL has a secure even if you don’t have tabs open on the browser.

  3. Don't open any tabs while doing online banking

  4. And your browser have to be updated .

Comments 9 CommentsJump to latest comment

AR Sharma's picture

I am expecting a little more detail on how it works...I could not understand that if inactive tab is repalced by fake page, then how information can be stoten? However, vote up for letting us know the new threat!

Thanks & Regards,

AR Sharma, CISSP

IBM Certified System Admin- Lotus Domino V7

ITIL V2 Certified

Login to vote
P4Amdik19's picture

This attack works by first detecting that the tab the page is in does not have focus. Then the attacking script (Javascript) can change the tab favicon icon and title before loading a new site, say a fake version of Gmail, in the background.Attacker can hijack your page, detect that you frequently login to Citibank’s or any website and impersonate that site, complete with a message about automatically ending your session and asking you to login again.....

Thanks & Regards

Pratik Mahadik

Login to vote
mathell's picture

The attacker cannot "hijack your page" (any more than they already have) and they cannot "detect that you frequently login to Citibank".  Although it may be browser dependent, for the most part you can't do that anymore using JS or CSS tricks.  All they can do is delay the execution of their malicious "payload" on that specific tab/page.

Let me write the shorter version of this attack:

  1. User hits page that loads malicious JS.  We'll call this tab 1. Let's presume the user loaded the page as a result of clicking on a link in a phishing email.
  2. User opens up new tab and starts browsing the Internets or whatever else one might do in a browser tab.  Let's call this tab 2.
  3. The JS in tab 1 triggers on a particular event (lost focus, etc) and/or has a timer, it either modifies the DOM for that page directly (changes title, fav icon, whatever) or loads a new page.  NOTE: this occurs on tab 1. No other tabs or pages are modified.

The reason I think this attack is unlikely to be used much by attackers, is because it's likely to be much less successful then a traditional, more direct phish.  The point of the phish is to make the resulting page trick users and encourage them to provide information.  Or it just tries to exploit them directly.

Login to vote
P4Amdik19's picture

Yes ..your right Mathell ......Hijacking means i was talking about browser version and all. Attacker try to find victim machine information . Because it depend upon your Browser if your Browser is vulnerable for this attack then it is possible. And easier than the phising attack by using payloads ...

When you try to send phising page OR link to some one on mails its directly goes to SPAM folder in mail account because gmail detect as an malicious URL.

And a Now a days everyone aware about the phising mails and all.So thats the only reason attacker use this method ....

hope now everyhing is cleared ... 

Thanks & Regards

Pratik Mahadik

Login to vote
SG Raj's picture

The priniple behind tab napping is very simple and is done by java script.

Tab napping is all about the relation of 2 pages. suppose Page A and Page B. Victim was viewing page A in a tab of a browser and then left this idle and and now using some other website in another tab of browser. If the user will not return to page A for some pre-specified time, page A will automatically redirect to Page B. This Page B is your phishing page. This redirection and cheking for user actions is done by Javascript.

For example:

Make a web page and use the tab napping script in that page say it page A. This script will not affect the layout or content of the page. This script will check for user actions. If the page is idle for some time, this script will redirect this page to a pre-specified page which may be your phishing page. You have to specify this page in the script.

timerRedirect = setInterval("location.href=''",10000);

this line will redirect to Gmail after 10 sec. Change this location to the address of your phishing page. This line is used 2 times in the script so change is both lines.

so, page A with tab napping script will redirect to phishing page B. Now send the link of the page A to your victim. This is a normal page. If the page is idle for some time it will be changed to page B.

Login to vote
Prasad Prabhu's picture

Computerworld - A new, incredibly sneaky identity-theft tactic surfaced earlier this week when Mozilla's Aza Raskin, the creative lead of Firefox, unveiled what's become known as "tabnapping."

Stated simply, tabnapping -- from the combination of "tab" and "kidnapping" -- could be used by clever phishers to dupe users into giving up passwords by secretly changing already-open browser tabs. All of the major browsers on Windows and Mac OS X are vulnerable to the attack.

Because most people keep multiple tabs open, often for long periods, and because they trust that the contents and label of a tab are immutable, tabnapping could become the next big thing in identity theft.

That open tab labeled "Citibank" or "Facebook" may not be the real deals, Raskin argued. But you may not know that..., so you enter your username and password to, you think, log in again.

Boom! You're owned.

Tabnapping isn't in active circulation at the moment, but the ease with which another researcher was able to sidestep a noted Firefox add-on designed to prevent such trickery doesn't bode well.

What can you do if tabnapping shows its face? We have a few answers.

What should I not do? Don't log-in on a tab that you haven't opened yourself.

Since the tabnapping tactic banks on you trusting that you opened the tab -- and that the site simply timed out -- the best defense is this offensive move. In other words, if you see a tab that contains a seemingly-legit log-in form, close it, then head to the site yourself in a new tab.

Will browser makers patch this? Unlikely. Microsoft's Jerry Bryant, a general manager at the company's security response center, said the issue isn't a security vulnerability per se, and that Internet Explorer (IE) falls for the scam because that's the way browsers work.

"Working with [Raskin's] proof-of-concept, as written, is expected," he said in an e-mail Tuesday when asked whether Microsoft had a fix in mind for IE.

Can my browser protect me at all? Yes.

Every major browser has a filter of some kind designed to weed out malicious sites and/or legitimate sites that are suspected of being infected with attack code. Presumably, those filters, assuming the blacklists underlying them are current and accurate, would block tabnapping attacks.

To kidnap tabs, a hacker has to get his tab-mutating code onto your machine somehow. Raskin pointed that out by noting the likely attack vector. "Every time you include a third-party script on your page, or a Flash widget, you leave yourself wide open for an evil doer to use your site as a staging ground for this kind of attack," he wrote in his blog.

So the best defense browsers can currently manage is to warn you of potential attack sites before you reach them. That's where filtering comes in.

Login to vote
mathell's picture

Just to clarify, becaue I think there is some context missing here.   This is little more than a "delayed" [phishing] attack.  The only tab that can be modified is the tab the malicious js loads in. Instead of presenting the user immediately with the phishing page on that tab...the malicious js loads and waits until some event occurs and then it modifies that tab.  It is sort of interesting, but I'm not sure how useful it will be for attackers.

Login to vote
lalitc's picture

Try to share new updates will help us .

Login to vote
althmash's picture

...Nice written ...try to share all new attacks information .this will help us to update with new attacks  ,,,

Thank you ..smiley

Login to vote