A Mozilla employee recently discovered a new way hackers can trick users into handing over passwords.
The tactic, dubbed “tabnapping,” was uncovered and described in a blog post by Aza Raskin, Firefox’s creative lead. Here’s how it works:
The new page is designed to look like the legitimate log-in page of a site the user regularly visits. But when the username and password are entered, the info is sent to the hackers.
For example: A Gmail user may leave several browser tabs open. One of them is quietly changed to a mock-up of the Gmail log-in page (along with Gmail’s normal tab heading). The user eventually looks at the open tabs, sees one for Gmail, assumes he or she left an e-mail session open that expired and re-enters the username and password.
All major browsers are susceptible, and Raskin says the attack works because people often leave multiple tabs open for extended periods of time. The URL of the hi-jacked tab would give away the scam, but people assume their open tabs can’t morph into another site, so they trust the heading.
But warn users to look at the URL if they aren’t sure why a log-in page has appeared. There are several other types of phishing scams that use phony versions of popular sites to steal passwords.