Aza Raskin of Mozilla has demonstrated a new type of phishing attack that takes advantage of the way people user tabs in browsers. In this attack, a user visits a hacked web page. If they go away from that page for a certain amount of time – either to another tab in their browser, or to another window – the page reloads with a page that could be designed to trap users in a phishing scam. Assuming that the user has many browser tabs open, or many windows, they may return to the page and think that they had logged out of a certain service. In the above proof-of-concept example, a Gmail page is displayed, but this could be a bogus bank page, PayPal login page, or Amazon.com page.
This proof-of-concept demonstration works in Firefox and Safari (as well as other WebKit browsers), but we have not tested it with other browsers.
For now, there’s no way to indicate that the page has changed, and users should be extremely careful before logging into any webmail, bank or online commerce site page. Make sure to check the URL carefully if you see an unexpected login screen.