The average online computer user faces many security threats.  Users are commonly reminded to keep their operating systems up to date,  install virus software and firewalls, and have at least one anti-spyware program running at all times. Kroll investigators counsel members of our identity theft programs to reduce their fraud exposure to Internet threats with this advice. We also remind them not to fall victim to a false sense of security. Identity theft protection does not exempt consumers from following practices to reduce their likelihood of becoming a victim while online. When it comes to online safety, best practices involve avoiding questionable websites, using social networking safely and being stingy with personal information.   Now, we add to our list of advice “close inactive browser tabs.” Why? To prevent a relatively new phenomenon known as “tabnapping.” 

Tabnapping – a term coined by the researcher, Aza Raskin, who discovered the attack – adds a new component to the online safety best practices.  The research reports that a spoofed or compromised website may be able to do a quick internet history scan on the targeted machine and know if the user has visited a banking site or email site and morph the inactive tab into a phony version of the visited site. By attempting to login to the phony site, the user is giving their login information to a criminal.  Raskin went a step further than just explaining the process of stealing user names and passwords by demonstrating at his blog how it can happen.

 A simple way to prevent “tabnapping” is to open a new tab or browser window prior to visiting any site where a login is required. Additionally, Computerworld has already offered up some valuable advice and techniques to thwart these attacks. But even if you open a new window every time you surf to a site which requires a login, don’t let down your guard. While this may be the latest thing in terms of phishing scams, danger may lurk behind any URL.

It’s hard to predict how commonplace this attack will become, but we’re sure to hear more and more about it in the near future as it gains traction. What do you think – is this new threat more dangerous than other types of phishing? Or is it just the proverbial flavor of the month?

By Ross Peiser
Senior Investigator, Kroll Fraud Solutions

Tags: consumer tips, data security, identity theft, internet, online safety, phishing

Categories: Consumer ID Security, Data Breach, Data Security Issues.