Mozilla's Creative Lead for Firefox, Aza Raskin, has devised a new phishing method that capitalizes on users' lack of attention to the order and content of their browser's tabs. Called "tabnabbing," the attack uses JavaScript to alter the content of a page opened in a browser tab, when the user moves away from it.
"Most phishing attacks depend on an original deception. If you detect that you are at the wrong URL, or that something is amiss on a page, the chase is up. You’ve escaped the attackers. In fact, the time that wary people are most wary is exactly when they first navigate to a site. What we don’t expect is that a page we’ve been looking at will change behind our backs, when we aren’t looking. That’ll catch us by surprise," Mr. Raskin,
explains on his blog.
The attack proposed by the design expert has a Web page detect when the user changes focus from it and deceptively change its appearance. The booby-trapped page doesn't even have to be a rogue one. It can be part of a legit website that has been compromised via a technique that allows code injection.
