Tabjacking/Tabnabbing: What is it?
The humble browser tab is something we take for granted nowadays, and most of us have probably never thought about what an impact it has had on the way we surf the internet. The concept first appeared in what is now a little-known browser called NetCaptor more than 20 years ago, and although adoption was initially slow, once Opera and Firefox introduced it in the early 2000s, Microsoft's Internet Explorer realized that it has no other option but to follow the pack, and tabs became the norm.
Nowadays, they give us the flexibility of focusing on multiple different tasks at the same time. Thanks to browser tabs, we can quickly switch between web pages, and we can find the resources we need in a matter of seconds. Tabs are massively useful, but they can also be a very good attack vector.
What is tabnabbing or tabjacking?
The attack was first discussed some ten years ago when security researchers realized that a simple but clever technique could allow cybercriminals to pull off what is potentially an extremely clever phishing attack. Here's the scenario.
As you can see, it's a clever attack, but how likely are you to fall victim to it?
Tabnabbing is struggling to gain popularity with cybercriminals
In 2010, Brian Krebs discussed the attack in detail and explained how many advantages it has over the more traditional tools or the hackers' trade. Back then, information security specialists had already come up with a few proof-of-concept pages, which showed how tabnabbing might work in the wild. Since then, we have seen even more polished designs that overcame a few technical difficulties. They were all published by security researchers, however, and they were all displayed with the idea of protecting and educating users, not harming them.
We have yet to see any large-scale tabnabbing attacks against unsuspecting internet users. It looks like, for the time being, at least, the crooks prefer to use more traditional schemes for stealing people's credentials. It's not easy to justify this decision.
Indeed, tabnabbing involves compromising a website and injecting code into it, which makes it more of a technical challenge. At the same time, however, the social engineering involved in the classic phishing campaigns is absent in this case. Perhaps most of the crooks are happy with the results of the tried and tested methods and reckon that the additional innovation is not worth the effort. That being said, you mustn't underestimate the threat.
What can you do to protect yourself from tabnabbing?
Obviously, a tabnabbing attack can only work against users who don't have the habit of closing their inactive tabs. Unfortunately, for many people, using fewer tabs is easier said than done. Nevertheless, better tab management can always help. Experts advise on using multiple browser windows and arranging different sets of tasks in them. While not foolproof, it might just help you spot something suspicious.
The thing that can really save you is your own attention to detail. As we mentioned already, a tabnabbing attack relies on a fake login form, and the good thing about fake login forms is that they can't be hosted on the domain they are trying to impersonate. If you establish the habit of double-checking the address bar of your browser before entering your username and password, you have a good chance of protecting yourself from both tabnabbing and from more traditional phishing.