A top Firefox programmer has figured out a scary new way to carry out phishing attacks, this time using browser tabs.
The attack could be used to harvest user names and passwords for banks, email accounts, or any other type of web site.
The trick relies upon the fact that surfers often have several browser tabs open simultaneously, and may forget what page they have open in a given tab.
It also changes the title and favicon as it appears in the browser, making it even more difficult to notice that the tab is still actually displaying an attacker-owned page.
The only way for the average user to tell the difference is to check that the URL in the browser address bar is legit.
Raskin's blog post (opens in new tab) explaining the attack also implements it (albeit with a non-functional Gmail login page). We've seen it doing its dirty deeds in Firefox, Internet Explorer and Safari. It's pretty unnerving.