A researcher has found a new method for carrying out phishing attacks “that takes advantage of the way that browsers handle tabbed browsing and enables an attacker to use a script running in one tab to completely change the content in another tab,” according to ThreatPost.
The attack, discovered by Aza Raskin of Mozilla, relies on users visiting a controlled infected website. When the user visits the infected website, it reads what other tabs the user has opened in the browser and changes itself to look like a selected page.
Raskin actually demonstrates it on his website in which the page alters to appear as the login page for Google. The system could also be used in the case of banking websites, etc. to steal login and account information.
“As the user scans their many open tabs, the favicon and title act as a strong visual cue“”memory is malleable and moldable and the user will most likely simply think they left a Gmail tab open,” Rashkin writes. “When they click back to the fake Gmail tab, they'll see the standard Gmail login page, assume they've been logged out, and provide their credentials to log in. The attack preys on the perceived immutability of tabs.”