The new scam that secretly steals your bank details

This is obviously a scam to look out for, but I'm pretty sure that a tab already showing a bank's website cannot be hijacked. Tabnapping works by having you open a malicious site in a tab, which then changes to appear like a site you visit. There's an example here (open the page and wait a while for it to change into a Gmail login page):

http://avivraff.com/research/phish/article.php?1203412073

The targets may not be banks. They could mimic email, twitter, ebay, facebook etc. Always check the address bar before you log in!

Bimber said: "I'm pretty sure that a tab already showing a bank's website cannot be hijacked."  Sadly, that's not true.  Lots of Windows viruses show no outward sign that you've been infected: instead, they silently monitor your keystrokes and send them to criminals.  (Google "keystroke logger" for more details.)  Other viruses wait for you to log into your bank, and then they silently submit extra transactions or divert your payments to an attacker's account, as described here: http://www.pcworld.com/article/141364/new_trojan_intercepts_online_banking_information.html

HTTPS (indicated by a padlock symbol) doesn't protect you against viruses of this type.  HTTPS encrypts data flowing between your computer and the remote server, so that a third party can't snoop on it or change it, but it doesn't prevent a virus from logging or interfering with the data before it's sent.

This is why you should never, ever type home banking credentials or a credit card number into a computer running Microsoft Windows.

Interestingly, we smug people who run Linux or Apple Macs, and who therefore don't have to worry so much about viruses and spyware, may not be immune to tab napping, depending on how it's implemented.  Jane, thanks for alerting us to it.

this is a worrying move towards ever greater manipulation by the criminals,

towards an ever easier way of defrauding the individual, and having an

easy lay-back existence.  Thanks for the warning.  I guess all we can do

is stay alert, and make sure that we have the very best Security Programme

running on our computers.

Bimber, you're right, of course: keystroke logging is not tab-napping.  I should have shown more of my working.  My point was that a tab showing your bank's site *could* be hijacked, at least in principle, on an infected computer.  If it's possible to write a virus that steals your password or diverts your payments to an attacker's bank account then it's certainly possible, now or in the future, to write a virus that sends you from your bank's site to a different site (or, BTW, which resets the Firefox setting that protects you from malicious refreshes and diversions).  Once a virus is in place, it's game over, which is why using Windows for home banking or home shopping is so dangerous.

As I'm sure you know but others may not, viruses don't generally delete all your files and print rude messages, the way they did a few years ago: these days, they're much more insidious.  They can make more money for the attacker if the victim doesn't know they're there.

(I should perhaps show my hand.  I'm a seasoned software engineer, but I've never been a virus-writer.  I have a reasonable idea of what's possible, but I'm not in touch with the latest virus-writing techniques.)

About "Linux does not make you immune to tabnapping": yep, we're in violent agreement.  There is no software, free or commercial, that removes the need for vigilance and intelligence.  One major cause of the PC security crisis we see today is that high-street shops sell computers without providing any training, as if they were no more complex or risky than freezers and fridges, and then they sell big all-in-one security packages that give the user the impression of total immunity to danger.  There is no such thing.

"Super sophisticated criminals may have trained your cat to spy on your

keystrokes and relate the information to them by arranging its Iams in

patterns on the lawn."

Jane, perhaps a topic for your next security related article? ;)

Once upon a time there was a world where you knew your bank manager, left your back door open and children played in the woods...

No mobiles, ipods/pads, no computer and no internet.

It was peaceful! And fun and nice!

One of these days I will get so fed up with it all I will chuck it all in and go back to writing letters instead!!!

The exploit was named "tab nabbing" not tab napping! It works by allowing an inactive tab to change how it looks so that you think it is your "whatever" site rather than the site you actually visited (so I'm with bimber's correction to this article).

Napping or Nabbing? There's only one way to settle this...FIGHT!

http://www.googlefight.com/index.php?lang=en_GB&word1=tabnapping&word2=tabnabbing

When cats are doing it, shouldn't it be called Tabby Nabbing?

Or catnapping

As a relative novice  I cannot understand that you say must be URL as

showing HTTPS etc whereas when I go into bank of my choice it appears as HTTP (NO s).  in the browser bar . I am obviously concerned re security of the site(s)  Can someone clarify please

Thanks Junitra

I expect many readers of this thread, with average (i.e. very little) technical knowledge would be completely lost trying to decide how they should be safe.  Would a suitable summary be

1.  Keep your virus checker up to date.

2.  Never log-in to your bank when you have any other window or tab open.

3.  And when you do log-in tp your bank, write down the url of the website before and after log-in and keep checking them

4.  Finish your transactions speedily - or if not possible, log-off from time to time then log-in again.

5.  And if asked to log-in again, do it from scratch.

If you always treat on-line banking in that way, is it really necessary to avoid MS Windows or to be super-clever with procedure?  Most of us can't remember a sequence of instructions which extends beyond 2 or 3 items, especially if the terminology is somewhat unfamiliar.

If the above way of operating isn't good enough I will join "gardener" and write letters again.

Hi All

This is my first time here so I wanted to thank you for making me giggle and cheering me up - not that I have had a bad day, I have just landed a new job so am grinning like the proverbial...

I use the freeware RAPPORT as provided through my bank's website. It can also be activated with any other site where you may be entering personal details. As I understand it, this should protect against this type of attack as well, even if only by clearly indicating that any such web page is not protected by the RAPPORT 'logo' being missing. The following link may be of interest: http://www.natwest.com/personal/online-banking/g1/banking-safely-online/rapport.ashx#tabs=section2

Those who don't use their brains deserve to get scammed, laziness is no excuse, don't do online banking, visit your bank in person, our cashiers are all gorgeous, so I pop in at every opportunity I can get. At least I can have a laugh with them and all my personal details are secure, something which I can never get by going on-line.....

And when you access any websites for the first time around Mozilla

Firefox asks if you want to save your ID and password automatically, why

should you have to enter anything again when you go back there in the

future, is it because it isn't the same website, surely that should trigger alarm bells with everyone, or, am I alone in that reasoning.

Bit of a scare article I think. If you're running Firefox with the default settings, and not visiting any dodgy sites, then you should be fine. Beyond the browser, it simply comes down to educating the end user.

As far as the "get a mac" argument is concerned, it falls on its face. Mainly because the issue relates to the browser and not the operating system.

Definately Tab Nabbing - here is the original article that 'discovered' the technique: http://www.azarask.in/blog/post/a-new-type-of-phishing-attack/

(as in stealing rather than falling asleep)

A malicious site cannot look at what is on another tab and then 'emulate it' nor can a malicious site look at your history, but there has been another technique available where a site can find out the places you visit by placing hidden links on a page and then reading back the colour that the browser has drawn it in. The default behaviour for links is that they are blue, but if you have visited the page before then the link will be purple. The malicious page has (for instance) a link to the facebook login page and then checks if it is purple. If so then you are a facebook user and they might be able to trick you with a fake facebook login page.

And I should correct myself and say that of course its not necessarily a malicious site, it can be an innocent site, such as a blog, that has been hacked and malicious content inserted into the page.

Yorkstyke - the padlock means that your connection to the other end is secure. It does not necessarily mean it is the place you intended to visit. 

I'm sticking with Barclays because they have issued me with a PIN sentry and I must use that to get a one-time password so even if I was lured to the wrong place the details they grab from me are of no use.

mlaker, I hate to burst your "smug" bubble, but there a plenty of viruses out there for Macs and Linux. Sadly because most Mac and Linux users practise bad browsing habits (owing to the illusion that they are safe) these viruses are proving very successful

Safari for example is well known among security experts to be easier to exploit than Internet Explorer

Don't take my word for it: http://www.sophos.com/blogs/gc/

And I'd like to add, because NONE of the scenarios can happen unless your PC is infected with a virus, it's pretty stupid not to have "install virus software" and "don't install any old crap on your PC" under "How can you protect yourself against tab napping?"

"When you return to your bank’s site the login page looks exactly how you

left it. What you haven’t realised is that a fake page has taken its

place, so when you type in your username and password, you have

inadvertently given the fraudster easy access to your account."

This implies that it can happen with a legitimate page, which as I state above is the smarter way of doing it.  But to do that, either the original site must be compromised, or your PC must be compromised.  No two ways about it.

However, I fully agree that if you go to WAREZ.ru and then an hour later it's barclays bank, then yeah, this can happen.  This is not what the article implies, thus it is misleading.

Also, without any kind of exploit I am pretty sure that your browser history is invisible.  If you want to link me to your source for this information, I'll fully admit my ignorance, but without access to either a banking website or the client device, this requires luck (someone visiting the site in question, then leaving it open long enough to forget about it, and being in the habit of leaving tabs open for internet banking). A high level of skill on the part of the attacker (creating the site which picks up the browser (easy) and then runs a specific exploit to get the users history and pick out the correct banking service before re-directing (hard)), and stupidity/ignorance on the part of the user.  Fair enough, if that's the case it will still affect people, but the article is badly written and misleading.

Soop

You were also wrong about "None of this can happen unless your computer is already compromised"

This is caused by a bit of malicious javascript on a website you visit. You load the page and it looks fine, maybe its an article that you will read later. You then open another tab, or switch to an existing tab and while you 'look away' the page changes to one that looks like a page you recognise, asking for your credentials.

At some time later you rediscover the tab and use it to check your mail or whatever, blindly keying in your credentials. Now the bad guys have access to your account.

You might think 'oh, I never go to those malicious sites' but of course MANY sites have been compromised in the past - some of them highly reputable.

Suppose for a moment that a compromise is found in Lovemoney.com's comments system. This might allow someone to place a piece of javascript in the comment which your browser will run when you visit the page.

This might be an exploit to just get into your gmail or hotmail account, but this can be the thin end of the wedge. In your mailbox there might be emails from other sites where you are a customer. Once the attacker knows the sites you visit, he may be able to ask that site to reset your password - most of such requests are managed by email - your attacker can intercept the reset and set his own password. 

So by now, your email is compromised, maybe your amazon account is compromised, maybe you just purchased some electronics and had them sent gift wrapped to another address! All this with no malware on your PC, no virus, no key logger.

If you think 'keep viruses away and I will be safe' then you are sadly deluded. I encourage people to understand their browser, to check how it looks, recognise how your browser is showing secure pages and get a password manager such as last pass so that you can have a different password on every site.

If you are still worried, disable javascript. Tools are available to selectively do this in most browsers. Turn in on just for the sites you REALLY trust.

I assume that no-one actually clicked on any of the links in this article to read the reference articles? Without first checking that they were not malicious sites ? you did? oops.....

 It's really easy to get someone to click on a link to malicious site isn't it?

  It's true that there are both platform/browser dependent and independent viruses/trojans out there. Linux/Macs are more secure, if only for the fact that there are less of them and thus statistically less likely to be of interest (thus gain) to a hacker.

  Java is platform independent making it particularly attractive for hackers to use. Linux's concept of a "root" user makes it less easy to execute platform independent malicious code, it's similar to Window's "administrator" but unfortunately most Windows users that I've come across give themselves administrator privileges by default, making it less secure than it could be. Vista/Windows7 is much better than XP was.

   No information (web, banks governments etc)  is ever 100% secure : By definition, if at least one person can access it then it cannot be  100% secure! Having said that most people will probably never have a problem, but we will always hear about those that do, and it's a very unpleasant experience if you are the unfortunate one.

  New hacks/viruses will always be being created, this article just highlights another one. Personally I cannot keep track of them all. However, this article does not change the general advice:  Do use the latest anti-virus software, particularly Windows users, and particularly for those using older or un-updated versions (Without getting into a linux/Windows battle: do it at least for the statistical reasons mentioned above)  This will get rid of 95% of the potential threats, then just be as vigilant as possible, as others have stated above.

Terry Reed said: "Surely, if you have strong anti-virus software (like Norton Symantec or

McAfee), this will never happen."

My other half and I run a computer support company, mainly dealing with home and small business computers. Disinfections are one of our most regular jobs, then there are others we find are infected, unknown to the owner. And I have to tell you that some of the infected ones have had one of the major security suites up and running, fully updated, but stuff got past them. We make sure the Windows internet settings are as they should be and install a firewall (not Windows) plus six other virus and spyware protectors, all of which are free. We have a couple of others we use on really badly infected computers, but they're rather intrusive.