People's Newsroom


TabShots, the first effective clientside countermeasure against tabnabbing attacks. Tabnabbing, a surprisingly sly variant of phishing, allows a Web attacker to obtain the user’s credentials, thereby enabling the threat to impersonate a user by establishing a session. Since the user’s credentials allow the attacker not only to establish a session but also to bypass any additional in-session authentication checks, a phishing or tabnabbing attack can lead to worse consequences than any of the previously discussed attacks.

In a tabnabbing attack, an innocuous page visually disguises itself as a login page for a legitimate application when the user is not paying attention. Since the tabnabbing page is fully controlled by the Web attacker, detection mechanisms that depend on the underlying structure of the page, such as the HTML elements and attributes, are likely susceptible to evasion. Therefore, TabShots is based on screenshots of a browser’s tab, essentially analyzing the same view as seen by the user. To prevent the user from entering credentials in a fraudulent phishing form, TabShots highlights the parts of the page that have changed since the last visit, visually alerting the user of a “phishy” situation.

The approach and proof-of-concept implementation of TabShots show the potential of visual client-side mitigation techniques against phishing-based attacks. Even though alternative authentication systems are being proposed on a regular basis, all promising to eradicate the traditional credentials, username/password-based authentication is likely to stick around for a while. Alternatives to a visually supported detection mechanism could be browser-generated warnings when entering a username in an unknown form, or the use of secure password managers, which would require explicit configuration on unknown Web pages. Unfortunately, users are often the weakest link in the chain, causing a significant amount of attacks to be targeted at them. In hindsight, our work on TabShots highlights an interesting, alternative approach towards client-side mitigation techniques, especially compared to CsFire and Serene, which modify the browser’s security policies. Visually comparing screenshots of tabs posed alternative challenges, such as performing image processing tasks from within JavaScript, and making sure the highlighting of the changed parts occurs fast enough so users can be warned in time.


As the Web grows larger and larger and as the browser becomes the vehicle of choice for delivering many applications of daily use, the security and privacy of Web users is under constant attack. Phishing is as prevalent as ever, with antiphishing communities reporting thousands of new phishing campaigns each month. In 2010, tabnabbing, a variation of phishing, was introduced. In a tabnabbing attack, an innocuous-looking page, opened in a browser tab, disguises itself as the login page of a popular Web application, when the user’s focus is on a different tab. The attack exploits the trust of users for already opened pages and the user habit of long-lived browser tabs.

To combat this recent attack, we propose TabShots. TabShots is a browser add-on that helps browsers and users to remember what each tab looked like before the user changed tabs. Our system compares the appearance of each tab and highlights the parts that were changed, allowing the user to distinguish between legitimate changes and malicious masquerading. Using an experimental evaluation on the most popular sites of the Internet, we show that TabShots has no impact on 78% of these sites and very little on another 19%. Thereby, TabShots effectively protects users against tabnabbing attacks without affecting their browsing habits and without breaking legitimate popular sites.

Phishing, the process that involves an attacker tricking users into willingly surrendering their credentials, is as prevalent as ever. PhishTank, a volunteer-driven site for tracking phishing pages, in their latest publicly available report, reported a total of 22,851 valid phishing attempts just for July of 2012. In these attacks, an attacker targets the user and capitalizes on a user’s inability of distinguishing a legitimate page from one that looks legitimate but is actually fraudulent. Phishing attacks can be conducted both on a large and small scale, depending on an attacker’s objectives. The latest publicized attack involved the use of “spear phishing”, a type of phishing that is targeting highly specific individuals and companies.

In tabnabbing, the user is lured into visiting a malicious site, which however looks innocuous. If a user keeps the attacker’s site open and uses another tab of her browser to browse to a different Website, the tabnabbing page takes advantage of the user’s lack of focus (accessible through JavaScript as window.onBlur) to change its appearance (page title, favicon, and page content) to look identical to the login screen of a popular site. When a user returns back to the open tab, she has no reason to re-inspect the URL of the site rendered in it, since she already did that in the past. This type of phishing separates the visit of a site from the actual phishing attack and could, in theory, even trick users who would not fall victim to traditional phishing attacks.

TabShots, a countermeasure for detecting changes to a site when its tab is out of focus. TabShots allows a browser to “remember” what the tab looked like before it lost focus, and compare it with the appearance after regaining focus. More precisely, whenever a tab is fully loaded, TabShots records the favicon and captures a screenshot of the visible tab. Whenever a user revisits a tab, a new capture is taken and compared to the previously stored one. If any changes are detected, the user is warned by adding a visual overlay on the current tab, showing exactly the content that was changed, assisting the user in distinguishing between legitimate changes and tabnabbing attacks. Our system is based on the user’s visual perception of a site and not the HTML representation of it, allowing TabShots to withstand attacks that straightforwardly circumvent previously proposed, tabnabbing-detection systems. We implement TabShots as a Chrome add-on and evaluate it against the top 1,000 Alexa sites, showing that 78% of sites fall within a safe threshold of less than 5% changes, and an additional 19% fall within the threshold of less than 40% of changes. This means that TabShots effectively protects against tabnabbing attacks, without hindering a user’s day-to-day browsing habits.

Back to top button