You must have heard of what phishing attack is, in short, something that forces you to provide your confidential user login credentials which are then hacked and used for illegal use. Tabnabbing is a new type phishing attack that also makes use of the same principle that is stealing users’ login credentials.

The major difference between phishing and Tabnabbing is that while phishing, in some or the other way, forces you to provide the credentials, Tabnabbing makes use of the inattention of the user to capture the details.

What is Tabnabbing / Tabjacking?

Tabnabbing, also knows as Tabjacking, is a phishing attack or a computer exploit that makes use of the inattention of the user to capture the login details of some famous website like gmail but impersonating it and by convincing the user that the page is genuine.

How does it works?

If you have opened a page that is affected by this exploit, then you are likely to see this page turning into login page of some famous site like Gmail. The page turns into the login page after some duration of inactivity and that happens when you leave this tab and visit another tab.

What you will see that this tab (meanwhile and at background) had turned into login page, and you will feel that you have left this gmail login page opened, and you might enter your credentials to login back (opposite to phishing, where it forces to enter). This is how you will lose your credentials.

To see for yourself, how this thing works, open this link [via Aza Raskin], switch to another tab for around 5 secs and come back to see how the page has now redirected.

Note: This above activity is just a demo, and is not an attack, so don’t fear out.

How to stay protected?

The first thing that you will observe when tabnabbing occurs is that, the page that had loaded is not that much focused as it is genuinely. That means, the scripted page is less focused, have no favicon or trust seal in the browser.

Also if you are attentive enough, then you would already remember that you opened some other page in that particular tab rather than this scripted page.