TOO GOOD TO BE TRUE….
A Column on Consumer Issues
by Attorney General Wayne Stenehjem’s
Consumer Protection and Antitrust Division
July 7, 2010
“Tabnabbing” or “Tabnapping” – A More Sophisticated Phishing Attack
Just when we thought we had mastered identifying the various types of phishing attacks, there is a new kind of Internet phishing attack you should be aware of – one that is more sophisticated. Most commonly known as “tabnabbing,” it is also called “tabnapping” or kidnapping of your Internet tabs!
Phishing scams typically involve sending hoax emails to your computer in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the email. The link directs you to a fake website which looks like your bank’s website. Once you have typed in your login details, the criminals who set up the fake site have access to your information.
Tabnabbing does not rely on persuading you to click on a fake link. It targets internet users who open lots of tabs on their browser at the same time. Here’s how it works! Tab napping changes the way a legitimate site looks behind your back. It replaces an inactive browser tab with a fake page set up specifically to obtain your personal data – without you even realizing it has happened. They can actually detect when a tab has been left inactive for a while and spy on your browser history to find out which websites you regularly visit so they know which pages to fake.
Here is an example: You open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes. This has left the original tab unattended during this time. When you return to your bank’s website, the login page looks exactly how you left it, but it is again requesting that you login. This is reasonable because you just assume that you have timed out on your original login. What you don’t realize is that a fake page was substituted and when you re-enter your username and password it is not for the official bank login but for the con artist. Once you re-enter your login information, you will be redirected to your bank’s website since you never actually logged out in the first place, giving you the impression that all is well. Meanwhile, the con artist has just obtained your login information and can now login to your account without your knowledge.
Tabnabbing should be fairly easy to avoid as long as you are careful. Here are five simple ways to protect yourself:
1. Make sure you always check to be sure the URL in the browser address page is correct before you enter any login details. A fake tabbed page will have a different URL to the website you think you are using.
2. Always check to make certain the URL has a secure https:// address even if you don’t have tabs open on the browser.
3. If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again.
4. Avoid leaving open tabs which require you to type in secure login details. Don’t open any tabs while doing online banking. Open new windows instead.
5. Don’t log-in on a tab that you have not opened yourself.
While this type of attack on your computer could potentially be devastating, it is relatively simple to keep yourself safe online. Follow the steps outlined above and if you question a URL, close out of the site and start over again. Or simply do not leave tabs open on the Internet!
The Attorney General’s Consumer Protection Division investigates allegations of fraud in the marketplace. Investigators also mediate individual complaints against businesses. If you have a consumer problem or question, call the Consumer Protection Division at 328-3404, toll-free at 1‑800-472-2600, or 1-800-366-6888 (w/TTY). This article and other consumer information is located on our website at www.ag.nd.gov.
The Too Good To Be True
published by the
North Dakota Attorney General’s Office
is circulated the first Wednesday of every month.
* * * * *