Your identity’s been ‘tab-napped’

YOU want to pay bills online and decide to load your bank’s login page in one of the multiple tabs opened
in your Web browser.

You switch to another tab for a few seconds, and when you return to the bank’s site it looks exactly like how you left it.

So you happily enter your login details and, before you know it, you’ve been “tabnapped”. Beware tab-napping, a sly tactic fraudsters are now using to phish for personal information by replacing an inactive webpage with a fake page.

Phishing is the act of stealing sensitive information by posing as a legitimate source.

Tab-napping was highlighted last month by Mr Aza Raskin, creative head of Mozilla Firefox, in a blog post that demonstrated how scammers attack unsuspecting users.


For instance, when you navigate away from his website to another tab and then return to the site, the screen switches to an innocent- looking Gmail login page.

Information-technology experts my paper spoke to identified JavaScript, a type of programming language, as the culprit behind tab-napping.

Mr David Hall, regional consumer- product marketing manager (Asia-Pacific) of security firm Symantec, said: “When someone visits a page that contains malicious JavaScript, the script can check the person’s browsing history to determine the usual websites he visits.

“The script waits for a predetermined period of inactivity before changing the display of the inactive tab to resemble the webpage of one of those sites and asks for login credentials.”

Mr Raskin added that some scammers go a step further by tricking users into re-authenticate their login details, ostensibly to reactivate an expired session.

He warned that such re-authentication happens often on bank websites, making them “even more susceptible to this kind of attack”.

While financial websites are often targets, users of popular social-networking site Facebook should beware as it is fast becoming a favourite phishing target.

Mr Paul Ducklin, head of technology (Asia-Pacific) of IT security firm Sophos, said the easiest way to avoid these scammers is to open the bank site in a tab of its own only when you want to start banking.

He said: “That way, there is never a hidden tab in which the bad guys can change things in the background.

“Likewise, close your browser when you have finished a transaction... There will then be no ‘trusted tabs’ left behind to confuse you in the future.”
nggwen@sph.com.sg
BY GWENDOLYN NG
http://myepaper.mypaper.sg/ebook/web_php/System/Zoom_In/Zoom_In_Page.html