Smart SpendingSmart Spending

'Tabnabbing' -- a new twist on ID theft

An inactive browser tab is replaced with a fake page set up specifically to obtain your personal data -- without you realizing it has occurred.

By Karen Datko Jul 13, 2010 1:39PM

This post comes from partner site


Just when it seemed as though the various types of phishing attacks had been identified, up pops another more sophisticated version. Most commonly known as "tabnabbing," it's also called "tabnapping" or kidnapping of Internet tabs.

Phishing scams typically involve sending hoax e-mails to your computer in an attempt to steal your usernames, passwords and bank details. Often the sender will claim to be from your bank and will ask you to verify your bank details by clicking on a link contained in the e-mail. The link directs you to a fake website that looks like your bank's website. Once you have typed in your login details, the criminals who set up the fake site have access to your information.


How it works

Tabnabbing doesn't rely on persuading you to click on a fake link. It targets Internet users who open lots of tabs on their browser at the same time and changes the way a legitimate site looks behind your back.


An inactive browser tab is replaced with a fake page set up specifically to obtain your personal data -- without you even realizing it has happened. Scammers can detect when a tab has been left inactive for a while and spy on your browser history to find out which websites you regularly visit so they know which pages to fake.


For example: You open the login page for your online bank account, but then you open a new tab to visit another website for a few minutes, leaving the original tab unattended during this time. When you return to your bank's website, the login page looks exactly how you left it, but it is again requesting that you log in. This seems reasonable because you assume you've timed out on your original login.

You don't realize that a fake page was substituted and when you re-enter your username and password, it's at the con artist's site. Once you re-enter your login information, you are redirected to your bank's website since you never actually logged out in the first place. Meanwhile, the scammer has obtained your login information and can now log in to your account.


Beating the scammer

Tabnabbing should be fairly easy to avoid. North Dakota Attorney General Wayne Stenehjem offers five tips for protecting yourself:

  • Make sure you always check to be sure the URL is correct before you enter any login details. A fake page will have a different URL than the real website.
  • Always check to make certain the URL has a secure https:// address.
  • If the URL looks suspicious in any way, close the tab and reopen it by entering the correct URL again.
  • Avoid leaving open tabs that require you to type in secure login details. Don't open any tabs while doing online banking. Open new windows instead.
  • Don't log in on a tab that you have not opened yourself.

While this type of attack on your computer could potentially be devastating, it is relatively simple to keep yourself safe online. Follow the steps above and if you question a URL, close out of the site and start over again. Or simply do not leave tabs open on the Internet.


More from and MSN Money:

Please help us to maintain a healthy and vibrant community by reporting any illegal or inappropriate behavior. If you believe a message violates theCode of Conductplease use this form to notify the moderators. They will investigate your report and take appropriate action. If necessary, they report all illegal activity to the proper authorities.
100 character limit
Are you sure you want to delete this comment?


Copyright © 2014 Microsoft. All rights reserved.

Fundamental company data and historical chart data provided by Morningstar Inc. Real-time index quotes and delayed quotes supplied by Morningstar Inc. Quotes delayed by up to 15 minutes, except where indicated otherwise. Fund summary, fund performance and dividend data provided by Morningstar Inc. Analyst recommendations provided by Zacks Investment Research. StockScouter data provided by Verus Analytics. IPO data provided by Hoover's Inc. Index membership data provided by Morningstar Inc.


Smart Spending brings you the best money-saving tips from MSN Money and the rest of the Web. Join the conversation on Facebook and follow us on Twitter.