Consider this- You are browsing on the net, with multiple tabs open, as usual, navigating from one tab to another occasionally. One of these tabs is of your Gmail account.
You click on it, find that the site has timed out and the login page is displayed. You re-enter your username and password and you are ‘successfully redirected’ to your inbox.
Well, all this is what you thought happened. In reality, the situation can be a bit different. There is a possibility that while you were thinking that your Gmail account has timed out, a suspicious site which was opened in some other tab secretly changes its contents to become a ‘look-a-like’ of Gmail login page. You innocently type in your password, press the enter button, and that’s when you get tabnapped!
What’s astounding is that you won’t even come to know because of the redirection to your inbox. Well, this happens due to the fact that you were never logged out in the first place and you think that your login was successful. Similar cases can happen with your Twitter, Facebook or Citibank account too.
How to prevent yourself from being tabnapped?
Play it safe. If you see that a site has timed out and a seemingly-legit login page is displayed infront of you, the best defense is to close it and type the URL of the site in a new tab. This will ensure that you do not fall a prey to any phisher using tabnapping to steal your identity.Can your browser provide any kind of security?
Well, in a way yes. All major browsers have filters to protect the users from sites using malicious software or code. We may assume that those filters are updated regularly and sites using such phishing tactics would be blocked by them.But you cannot totally rely on your browser. You will have to be careful yourself. Once your browser manages to warn you of a potentially risky site, it’s your take.
One more thing that you should do to avoid being fooled is to check the URL in your browser’s address bar before you fill any form that requires you to fill your personal information.
Usually the attackers bank upon your inattention towards the address bar and take pains only to mutate the favicon, title and content of the page to create the spoof. The URL is hard to fake and when the tab and the address don’t match , that’s your cue to close the tab immediately.
Are there any add-ons that can prevent Tabnapping?
Though NoScript, the premier Firefox script-blocking add-on is successful in stopping the Raskin’sproof-of-concept at his site which displays a proof of this elegant phishing technique, a code has already been created which can circumvent the defenses of NoScript.Hence it is not as dependable as it appears to be, but still something is better than nothing!