Beware of the New Security Threat: Tabnabbers
You're sitting at your desk, multi-tasking as you work on a proposal. You have several tabs open: One to your Web-based e-mail, one to a website for the customer for whom you're writing the proposal, another to an industry news site, a third to business news site (such as this one) and a fourth to your company's employees-only site.
It's been an hour or so since you checked your e-mail, so you click on the tab for your webmail account, note that you need to sign in again, and enter your user name and password. And just like that, you've given a hacker access to your e-mail account.
"Tabnabbing" is a vulnerability in tabbed browsers recently identified by Aza Raskin, founder of the music search site Songza and creative lead for the Firefox browser at Mozilla. In tabnabbing, a site that's open in a tab not uppermost can magically transform itself into something that looks just like your webmail. If you vaguely remember having opened that tab, you might well be fooled into entering your username and password thinking that your session had simply timed out.
To get a better idea of how this works, you can try it by opening Raskin's blog post on the subject in a tabbed browser, and then clicking to a different tab. Keep watching the tab where the blog post was: in a few seconds it will suddenly appear to be Gmail instead. When you click on that tab, you'll get what looks like Gmail's log-in page. Now imagine that it looked like your bank's log-in page instead. What would happen if you gave your bank log-in information to hackers?
Not in the wild -- yet
So far, there are no known instances of genuine wrongdoers using tabnabbing to collect passwords, Raskin reports. "I'm aware of other researchers and toolkits extending and expanding tabnabbing, but as of yet I do not believe anyone has reported it being used in the wild."
That can change at any moment as hackers continually look for new forms of phishing to exploit. ("Phishing" is any type of scheme that seeks to deceive users into giving up their log-in and/or password information.) Does this mean Raskin may have inadvertently helped them out -- that if he'd kept quiet about tabnabbing, the miscreants wouldn't have discovered it?
No, says Dirk Morris, CTO of Untangle, which provides open source security software. "The amount of new phishing techniques continues to amaze me," he says. "The people doing it are truly innovative, so they would have found this vulnerability on their own." Besides, he notes, Raskin's bringing tabnabbing to the world's attention means that browsers will now work on fixes for it, although, as he acknowledges, there are no fixes yet.
How do you keep users safe in the meantime? Here are some steps that can help:
Make sure your browser has anti-phishing protection
"Although it's a new technique, there's nothing fundamentally new about phishing," Morris says. "So any browser with good anti-phishing features should work against it." Had Raskin's blog post been an actual malicious site, Firefox would have put up a warning screen alerting users that the site might not be what it appeared and cautioning them against inputting information, he says. All major browsers use some form of phishing protection in which, as soon as a site is identified, it is placed on a blacklist and will automatically generate a warning screen if a user tries to go there. You're protected -- unless you're unlucky enough to be one of the site's first victims.
Don't let your site become a phishing tool
As a small company you have one less worry: It's unlikely that hackers will bother spoofing your company's site when creating tabnabbers. "The good news for small businesses is that phishing scams target high-traffic sites almost exclusively -- they want to maximize the likelihood that their victim does have a relationship with the spoofed site," says Jonathan Nightingale, director of Firefox development at Mozilla.
On the other hand, your company's site could wind up hosting phishing sites without your knowledge, he warns. "Attackers will often try to use websites with older versions of off-the-shelf site building software in order to host their spoof pages. Small business owners can be at risk if they don't provide resources to ensure their websites are up to date and secure."
Warn users of the danger
Unlike a virus, which you can get just by failing to update your security software and then visiting the wrong website, a phishing attack requires assistance from the user. The only way it can hurt you is if you actually enter information. With that in mind, it makes sense to alert your company's users to the danger of tabnabbing and phishing in general, and suggest some best practices that can help them stay out of trouble.
The first and most obvious suggestion is to never re-sign into any site from a tab that's been inactive for a while. Instead, close the tab, open a new one, and load the site again by typing in its URL or using a bookmark. And Paul Ducklin, head of technology, Asia Pacific for the security firm Sophos, suggests taking this one step further by foregoing the benefits of tabbed browsing where sensitive sites are concerned. "The easiest way to avoid tabnabbing, say of your bank site, is to open only the bank site, in a window of its own, with no other tabs. That way, there is never a hidden tab on which the bad guys can change things in the background."
Let software handle the passwords
Phishing attacks like tabnabbing depend on user inattentiveness, so you may not want to depend on busy computer users to remember steps like opening their banking and email sites in a separate window. An alternative is to avoid having users enter passwords altogether, for instance by having your browser manage and input passwords for you. "These are tricks designed to fool humans. They won't fool software," Morris says. The advantage is that a user asked to type in a password the browser would normally provide is likely to suspect something's wrong. On the other hand, having your browser handle passwords can present its own security problems, particularly for users who work in shared office spaces where others may have access to their computers.
A better solution might be to use password-protection software. "The idea is that powerful password managers can also generate passwords for you and fill them into forms, rather than simply remembering passwords you invent yourself," Ducklin says. "This means you can use really secure passwords like 'awsdWE$FRERV2314:fgv.' The software generates them randomly and you can be certain you have a different password for every site."
Of course, he adds if you use password-protection software, "Then the strength and security of the master password you use to access the software becomes super-important. It represents the keys to your whole castle."