'Tab napping' - a new online scam

DoubleD

'Tab napping' - a new online scam
Watch out for this new online phishing scam which uses 'tab napping' to attack your computer - and your finances...

As internet users we’re all vulnerable to online scams. Unluckily for us, as soon as we become pretty good as spotting one type of attack, another more sophisticated version comes along in its place. In fact, technology company Mozilla - which developed the Firefox web browser - has recently warned against a possible threat from a new scam known as ‘tap napping’ which takes phishing one step further.

What is tab napping?

Tab napping is essentially a new kind of phishing scam. Until now phishing has involved sending hoax emails in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email.

The link actually directs you to a fake website which looks just like your bank's own website. Once you have typed in your login details they can be accessed by the criminals who set the fake site up.

But we’re beginning to wise up to phishing attacks like this, and many of us know we should be very wary of clicking URLs even if they appear to be in a legitimate email.

With awareness of phishing on the up, making it more difficult for scammers to succeed, tab napping could be the scam to watch out for next.

How does tab napping work?

Tab napping is more sophisticated than the phishing scams we’ve seen so far, and it no longer relies on persuading you to click on a dodgy link. Instead it targets internet users who open lots of tabs on their browser at the same time (for example, by pressing CTRL + T).

How does it work? By replacing an inactive browser tab with a fake page set up specifically to obtain your personal data - without you even realising it has happened.

Believe it or not, fraudsters can actually detect when a tab has been left inactive for a while, and spy on your browser history to find out which websites you regularly visit, and therefore which pages to fake.

So don't assume that after you have opened a new tab and visited a web page, that web page will stay the same even if you don’t return to it for a time while you use other windows and tabs. Malicious code can replace the web page you opened with a fake version which looks virtually identical to the legitimate page you originally visited.

How might tab napping work in practice?

Imagine you open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes, leaving the first tab unattended. When you return to your bank’s site the login page looks exactly how you left it. What you haven’t realised is that a fake page has taken its place, so when you type in your username and password, you have inadvertently given the fraudster easy access to your account.

Even if you have already logged into your bank account before opening another tab, when you return you might find you’re being asked to login again. This may not necessarily rouse any suspicion since you might simply assume your bank has logged you out because you left your account inactive for too long. You probably won’t even think twice before logging in for a second time. But this time round you have accidently inputted your security details into a fraudster’s fake page which have been sent back to their server.

Once you have done so, you can then be easily redirected to your bank’s genuine website since you never actually logged out in the first place, giving you the impression that all is well.

How can you protect yourself against tab napping?

This is pretty scary stuff but thankfully tab napping should be relatively easy to avoid. Here are five simple ways you can prevent yourself from falling victim:

Make sure you always check the URL in the browser address page is correct before you enter any login details. A fake tabbed page will have a different URL to the website you think you’re using.
Always check the URL has a secure https:// address even if you don’t have tabs open on the browser.
If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again.
Avoid leaving tabs open which require you to type in secure login details. Don't open any tabs while doing online banking - open new windows instead (CTL + N).
Finally, take a look at Online banking: How to stay safe to find out other ways to protect yourself from online scams

shaqazoolu

The amount of naps in this thread makes me sleepy. Isn't it tab-nabbing?

Bl8ckr0uter

shaqazoolu wrote: »

The amount of naps in this thread makes me sleepy. Isn't it tab-nabbing?

Yep lol.

It was really interesting though.

alan2308

shaqazoolu wrote: »

The amount of naps in this thread makes me sleepy. Isn't it tab-nabbing?

Until I saw this, I was reading it as tab-nabbing.

arwes

Tab-napping as in kidnapping your tabs I assume?

Ahriakin

You'd already need to have malware running on your system for this to work. Shouldn't the first one of those steps be to prevent the initial infection with the best AV/HIPs etc. you can afford....Essentially the standard practices to prevent malware in the first place, including script blocking, IPS and the usual web gamut are the most effective.

wastedtime

I remember reading about this late last week. The proof of concept is here.

tiersten

Ahriakin wrote: »

You'd already need to have malware running on your system for this to work. Shouldn't the first one of those steps be to prevent the initial infection with the best AV/HIPs etc. you can afford....Essentially the standard practices to prevent malware in the first place, including script blocking, IPS and the usual web gamut are the most effective.

Nope. It doesn't need any existing malware on your system.

I send you a link to hxxp://www.dynamik-loves-pokemon.com thats actually my scam site.
You click it and see lots of pokemon pictures and go wow how lame I'm going to flame Tiersten on the forum for sending me there so you go to another window/tab whilst leaving it open.
The script on my site detects that it isn't the topmost window and changes the page to now look like the login page for your webmail/bank/whatever.
Much later you want to go check your email/account/whatever and look to see if you've got it open already. You see my fake page and use it.

Nothing was preloaded on your system. If you don't have a popup blocker then you could get popups which quietly change into scam pages from adverts.

tpatt100

tiersten wrote: »

Nope. It doesn't need any existing malware on your system.

I send you a link to hxxp://www.dynamik-loves-pokemon.com thats actually my scam site.
You click it and see lots of pokemon pictures and go wow how lame I'm going to flame Tiersten on the forum for sending me there so you go to another window/tab whilst leaving it open.
The script on my site detects that it isn't the topmost window and changes the page to now look like the login page for your webmail/bank/whatever.
Much later you want to go check your email/account/whatever and look to see if you've got it open already. You see my fake page and use it.

Nothing was preloaded on your system. If you don't have a popup blocker then you could get popups which quietly change into scam pages from adverts.

lol that is pretty awesome

Ahriakin

tiersten wrote: »

Nope. It doesn't need any existing malware on your system.

I send you a link to hxxp://www.dynamik-loves-pokemon.com thats actually my scam site.
You click it and see lots of pokemon pictures and go wow how lame I'm going to flame Tiersten on the forum for sending me there so you go to another window/tab whilst leaving it open.
The script on my site detects that it isn't the topmost window and changes the page to now look like the login page for your webmail/bank/whatever.
Much later you want to go check your email/account/whatever and look to see if you've got it open already. You see my fake page and use it.

Nothing was preloaded on your system. If you don't have a popup blocker then you could get popups which quietly change into scam pages from adverts.

Nope (ditto ), whether loaded dynamically or not the malicious code needs to be running on your system. The same preventative measures apply as for any modern malware. My point here is what the bad-guys are doing once they have injected rogue processes into your system is to me irrelevant, whether it's loading a fake AV applet or trying something more subtle like this. The preventative measures listed are post-op when the advice should be about prevention to begin with.

tiersten

Ahriakin wrote: »

Nope (ditto ), whether loaded dynamically or not the malicious code needs to be running on your system. The same preventative measures apply as for any modern malware. My point here is what the bad-guys are doing once they have injected rogue processes into your system is to me irrelevant, whether it's loading a fake AV applet or trying something more subtle like this. The preventative measures listed are post-op when the advice should be about prevention to begin with.

Ah. In that case then yup! Disable scripting and addons. You should be mostly safe then assuming there aren't any horrendous bugs in the browser itself.

Kaminsky

DoubleD wrote: »

Imagine you open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes, leaving the first tab unattended.

But ... why would you even think of doing this ?

When I online bank, I clear down all browsers first and login, check what I want to check and hit the logoout button and then close down that browser again. Anyone who opens up all sorts of tabs and one of them is online banking, another is say ebay or paypal, you are just asking for trouble.

Maybe I'm old fashioned but the only time I feel safe on the internet is when the ISP cable is unplugged and even then I am dubious when my hard drive kicks into action for no apparant reason... (av kicking in)

Seriously, people really should have wised up to the tinternet by now. "you have malware on this PC. Click this button and we will perform a free scan" ... woah... The only way I will get rid of that box is through ctrl-alt-del. I won't even click the top right close box.

Stay away from dodgy sites and you stay 90% hastle free normally. Fly around the internet willy nilly and you are going to get tagged.

mikedisd2

Kaminsky wrote: »

But ... why would you even think of doing this ?

When I online bank, I clear down all browsers first and login, check what I want to check and hit the logoout button and then close down that browser again. Anyone who opens up all sorts of tabs and one of them is online banking, another is say ebay or paypal, you are just asking for trouble.

People just aren't savvy to security and scams. I saw on TV plebs still being suckered by Nigerian scammers. It'll always be that way.

Paul Boz

People have been falling for scams for thousands of years. what makes you think that its going to get any better any time soon?

Dare I remind you guys of the Catholic Church's fun concept of indulgences?

How about people taking radium pills at the turn of the 20th century because OMG RADIATION IS SO GOOD FOR YOU. Too bad you've got six hands now!

tiersten

Paul Boz wrote: »

How about people taking radium pills at the turn of the 20th century because OMG RADIATION IS SO GOOD FOR YOU. Too bad you've got six hands now!

Ah but the difference there is that the general population and the people peddling it did actually believe radiation was good for you so its not a really a scam. If you do actually believe then you're not defrauding people. You're just delusional (probably from the extra fingers)

A scam that I found out about recently which is just bizarre is about the alledged merits in investing in copper "bullion" and various other non precious metals. Places actually get big chunks of copper and stamp it with markings similar to what you'd get on a gold bar. Only people getting rich out of this are the ones that make and sell the bars.

Paul Boz

tiersten wrote: »

Ah but the difference there is that the general population and the people peddling it did actually believe radiation was good for you so its not a really a scam. If you do actually believe then you're not defrauding people. You're just delusional (probably from the extra fingers)

I should have thought out that analogy a bit better. I have not seen the copper bullion scams but that doesn't surprise me either.