What Is Tabnapping and How Can You Protect Yourself

Have you ever seen a fake login page as part of a phishing scam? They’re usually waiting at the other end of a link that leads people to a very believable login page for a popular service. For instance, you may see someone talk about a video on Facebook with a link. You click it to see the video, but instead of leading to Facebook, it leads to a fake Facebook look-a-like that asks for your login details to see the video. The idea is that people think they’ve been logged out of Facebook and go to log back in again, only to hand their login details to the scammer.

Of course, people are wising up to this sort of scam, so it’s getting harder for scammers to get login details from fake links. However, there’s a fiendish new method of phishing on the internet: tabnapping.

These days scammers are moving away from direct attacks in the hopes of tricking the user. Now they’re focusing on attacking you when you’re “on autopilot” when you’re not paying 100% attention. There have been a lot of nasty attacks in the past, but tabnapping is one of the more nefarious.

Here’s how tabnapping works. Someone sets up a website that looks completely normal. Within the websites code, they place a checker to see if the tab has become “inactive.” Inactive tabs are tabs that you’re not currently looking at. If you have any tabs in your browser right now, the inactive tabs are all the tabs you are not reading this article in.

tabnapping-inactive-tabs

A user visits this innocent-looking website and assumes nothing is wrong with it. They’ll then switch over to another tab; perhaps someone messaged them on Facebook, for instance. This means that the “innocent” webpage has become inactive, which then activates the scammer’s code.

Here’s what the code does; first of all, it makes sure it’s been inactive for a sufficient amount of time, to make sure you’ve forgotten about it. Once the waiting time has expired, it first changes the website’s content to a fake login page, Gmail, for instance. It then changes the “favicon” of the site, which is the little picture icon you see on tabs. MakeTechEasier’s favicon is the blue “MTE” logo. It also changes the page name from its original name to something like “Gmail: Email from Google.”

What this does is make a page that is almost identical to the login page of Gmail. If you took a long, hard look at the tab, you’d be able to spot that something’s wrong immediately. Of course, because you’re wrapped up in your daily life, you don’t notice it. Then you remember you need to send that email off to your friend, so you go over to the “Gmail” tab that is inactive. Oh, but Gmail has logged you out and requires login info again. What a hassle! Let’s re-enter the login details. This completes the tabnapping attack.

If you’d like to see a live demonstration of tabnapping in your own browser, open this page about tabnapping in a new tab. Allow the webpage to load fully. Tab back to this article and watch the tabnapping tab for five seconds. After five seconds, it’ll “magically” turn into a fake Gmail tab.

tabnapping-example

While it’s just a demo, and there’s no fake login Gmail page to trick you, you can imagine how convincing it would be if there were a detail-perfect Gmail login page on that tab. This shows the lengths scammers can go to get your details.

This all sounds very scary, and rightfully so. The idea that any of your tabs can morph into a convincing phishing attack is highly worrying! Thankfully, while scammers can change the content and tab information to look identical to an official service, there’s one thing they’ve never been able to copy perfectly – the URL of the page.

Of course, scammers have tried their best with URLs that look almost like the real thing. However, word-for-word copying of a URL is impossible to do and is your main way to figure out a good login page from a bad one. If you’re presented with a login page for any reason, check the URL. If it looks fishy, such as a convoluted URL or it’s missing a “https” certificate, don’t use it! Close it, open a new tab, and navigate to the real deal manually from there. Here’s an example of an authentic Facebook tab, and its defining features:

tabnapping-authentic-url

Tabnapping is one of the more nefarious methods of scamming users, preying upon unused tabs and our habit not to check pages we’ve already used for scams. By taking care when you log in, you can avoid tabnapping and keep your information safe.

Have you been, or almost been, a victim to tabnapping? What do you think about this highly-nefarious trick? Do you think it would successfully trick you if you encountered it? Let us know in the comments.

Leave a Reply

Yeah! You've decided to leave a comment. That's fantastic! Check out our comment policy here. Let's have a personal and meaningful conversation.