Identity thieves can "use JavaScript to quietly change the contents and label of an open-but-not-active [browser] tab to resemble the log-in screen of a bank or credit card company or Amazon.com or Gmail", according to an article in PC world.
EDIT: It's not as bad as it looks - see below.
This is clever and simple, but I don't understand the fuss — it's more or less just like any phishing attack. The same rules apply: always check the URL just before you type your password. Or better yet, never type your actual password: either have your browser remember passwords, or (or and) use domain-specific password hashing like PwdHash (which is really cool).
ReplyDeleteMore than phishing - your browser isn't supposed to load random web pages on newly opened tabs. That rule is totally one to be followed though. Pwdhash's site appears to be down at the moment. Isn't it served best with firefox in a thumb drive? Plan to try it soon's i can get it :)
ReplyDeleteOh, that's not what this attack does. The phishing website is not changing the contents of *another* tab, it's changing its *own* contents (while you are looking at another tab). The only difference is that instead of showing a fake login page as soon as you open it (when you are presumably more careful), it shows the login page when you revisit it after a while.
ReplyDeleteBut it's still just a malicious website showing a fake login page, just with a delay. :-)
Egad, you're right. Seems I misread/interpreted this one - there was never any WMD, etc :-) whew...
ReplyDelete