Thursday 25 July 2013

Tabnabbing - Another Way of Phishing

Tabnabbing is a type of phishing attack. Let’s discuss how it works If you are working with multiple tabs in your browser and one of them is opening a normal looking website which is hosted or compromised by attacker and this tab goes inactive for some time then the page in inactive tab force your browser to replace favicon, page title & page to look alike login page to any of the server which you are using and then whenever you switch to this inactive tab you will get spoofed login page and as I said it’s look alike page so if you don’t check URL carefully (which is very common as if you are regular visitor of a site you use to identify that site by look and care for URL in beginning of the session but during the session you least bother about URL) and proceed with login assuming that I might opened this page but forgot to login then your credential will be submitted to attacker’s website and then he will redirect you to original website.
Example :- I am working with multiple tabs in my browser Tab_1 – Gmail, Tab_2 – Google, Tab_3 – w.x.y.z, Tab_4 – Microsoft as shown in following picture

Now suppose my Tab_3 goes inactive for few minutes because I was working on other tabs here attacker’s script for Tabnabbing works and if it will sense that you lost focus from this tab and it's inactive for a while then it force Tab_3 to replace favicon , page title and page as Gmail login page, now when I switch to Tab_3 i found Gmail login page with Gmail favicon and page title as shown in following Picture (as I highlighted with circle in picture if you notice URL is not correct but this attack is based on assumption that generally we don’t check for URL during the session and because of look and feel it pretends original login page)

Now after getting this page I may think that I opened Gmail and forgot to login and I proceed with login then my user name and password is submitted to attacker’s URL and then he will redirect me to original Gmail, as I have already active session with Gmail in Tab_1 it will load my account successfully in Tab_3 as well.
Note:- To make this attack more effective attacker use to collect information first about your browsing like what sites you use to visit (Email, Internet banking, Social networking, etc) and then they host a normal looking website with tabnabbing script. this normal looking website can be advertised or promoted by any method to influence you for visit.

I hope this article will help you to understand Tabnabbing and it's working :-)


  1. Good one... how does the attacker force the browser to redirect to a phishing website ?


    1. Thank you sir, let me correct my explanation here attacker doesn't force browser to redirect instead of that they use a normal looking website but will have java code or other script to sense focus on page and if it sense that you lost focus from this website and not interacting with it for a while then it change it's favicon and page like original targeted website (as here it's Gmail)