Tabnabbing: Like phishing within browser (podcast)

Mozilla creative director and blogger Aza Raskin talks about a new phishing technique called "tabnabbing" that works inside all major browsers.

Is it Gmail or a bogus page created by a tabnabber? Aza Raskin

Mozilla's Aza Raskin is warning about a new type of phishing attack called tabnabbing.

Unlike traditional phishing attacks which trick people into clicking on links that take them to bogus sites that look legitimate, tabnabbing doesn't require a user to click on a link. But it too can trick people into disclosing their usernames and passwords.

While you're visiting a Web page infected with malicious tabnabbing code, a tab in the background morphs into what appears to be a legitimate site like Gmail or a banking site. To the user it looks quite familiar and since it's not uncommon for people to have multiple tabs open at the same time, it's easy to assume that it really is the site you want to visit. When you click on it, you're not logged in, but that too can seem quite normal since many sites log you out automatically after a period of time. However, if you're a tabnabbing victim and try to log in to the site, you wind up giving your log-in credentials to the tabnabber.

Aza Raskin Aza Raskin

Ironically, the very security techniques that some sites use to protect users can increase the chances of falling for this scam. "For example," said Raskin, "it can detect that you're logged into CitiBank right now and CitiBank has been training you to log into your account every 15 minutes because it logs you out for better security. It's like being hit by the wrong end of the sword."

Raskin said that unlike many types of malicious software, PC security programs won't protect users because the malicious code is running on the Web site, not on the PC. "None of those will help in this case." He said that Firefox helps because it will "look at every page you visit and determine whether it thinks it's a phishing scam." Raskin said that Mozilla is looking at putting an account manager similar to LastPass into future versions of Firefox which automatically logs users in to accounts.

If you go to Raskin' s blog post about tabnabbing, you'll see an actual demonstration. After you've been on the page for a few seconds, click away to another tab and then come back to the tab with his blog post. If it works as planned you will be looking at what appears to be a Gmail log-in page. Fortunately, this is only a test--it won't actually let you type anything.

Click below to listen to the 9 1/2-minute podcast interview with Aza Raskin

Listen now

Subscribe now: iTunes (audio) | RSS (audio)

About the author

Larry Magid is a technology journalist and an Internet safety advocate. He's been writing and speaking about Internet safety since he wrote Internet safety guide "Child Safety on the Information Highway" in 1994. He is co-director of, founder of and, and a board member of the National Center for Missing & Exploited Children. Larry's technology analysis and commentary can be heard on CBS News and CBS affiliates, and read on He also writes a personal-tech column for the San Jose Mercury News. You can e-mail Larry.


Join the discussion

Conversation powered by Livefyre

Show Comments Hide Comments
Latest Galleries from CNET
Seven tips for securing your Facebook account
The best 3D-printing projects of 2014 (pictures)
15 crazy old phones from a Korean museum (pictures)
10 gloriously geeky highlights from 2014 (pictures)
2015.5 Volvo XC60: updated tech, understated design
Busted! CNET readers show us their broken devices (pictures)