Aza Raskin just posted an interesting article on his blog detailing a new phishing attack that he calls Tabjacking. The concept of this new attack is ingenious.

It basically refers to a website that is changing its look and feels to a fake website after some time of inactivity. Here is how it works.

The web user visits a harmless looking site and decides to keep it open in a tab for the time being. A JavaScript code on the page notices that and replaces the site’s favicon and title with a popular site’s one. This could be Facebook, Gmail or any other popular website that the user likely uses.

The website itself will also change its contents so that it looks like the website that the attacker wants to steal login credentials for.

Many users identify websites in tabs by their favicon and title. This could lead to the user believing that the site is indeed the real website. Clicking on the tab displays what the user expects to see as the copy looks exactly like the original.

For Gmail it would for instance be the Gmail login form. Users who enter their login credentials into the form will send them right to the attacker. The script on the website will redirect the user to the real website in the end.

A New Type of Phishing Attack from Aza Raskin on Vimeo.

There are obviously a few elements left that the user can use to identify the attack. The url for instance will not reflect the website that is displayed to the user. It is also likely that the site will not make use of https.

Take a look at Aza’s blog post for additional information about the attack including codes, fixes and lots of user comments.

Think of this example: A user receives an email from PayPal or his bank which states that the account was comprised and that action needs to be taken right now. A link is provided and most users will click on that link to get to the website fast. The website looks like the real PayPal or bank website which adds to the trust the user has in the process. The website asks for authorization and most users will enter their data without hesitation. The data that is entered will be collected by the attackers and used in criminal activity.

What is phishing:

• Phishing always requires a user to visit a specifically prepared website (most of the time through a link that is added in emails or messaging)
• The fake website looks a lot like the real website (there are ways to detect fake websites)
• The goal of the attackers is to get the user to enter the data that they are after into a web form.

Phishing protection:

The most powerful weapon against phishing is common sense and the following rules that every user should oblige to.

• If you are not a customer of the site delete the email immediatly. Don´t click on the link or reply.
• If you are a customer and you are not sure if the email is legit do one of the following:
• Contact the institute by phone or contact at the official website ( do not use the email link of course) and ask if the mail is official.
• Instead of using the link provided open the website by typing in the official link there. The site should have news about the email on their starting page. (most of the time). If not, use 2a to verify the email.

Thankfully though there are quite a few tools out there to aid and protect the user against phishing attacks.

• Most web browsers these days come with phishing protection enabled. The lists that they use are usually updated several times a day. It has to be noted though that they only detect phishing websites that are already in the list.
• Several email clients, like Mozilla Thunderbird, but also online email services, like Gmail or Yahoo Mail, make use of phishing protection as well.
• Internet security programs do come with phishing protection as well.
• Password managers can be an excellent aid. If you have saved the login for a website in the password manager you usually can login automatically (Last Pass for example supports that option). The password manager will only work on the real website and not the phishing website.

The most powerful protection again is the user’s common sense. Here are a few pointers on how to detect if a website is real or a phishing site:

• Check the url in the address bar. Is it pointing to the right website? Make sure you look close for chars that look similar, e.g. o and 0.
• Is it a https website? Is the certificate valid?
• Does the website look different? Open another web browser tab to enter the url manually just to be on the same side (if you have opened an external link)

Firefox users can check if the phishing protection of their web browser is working. Do you have additional phishing protection tips?