Login credential security: How to defend against tabnapping

I heard about a phishing technique called "tabnapping." What is it, and what are the best enterprise defenses against it?

Tabnapping was first discovered in 2010. It allows an attacker to open a browser tab in the background using JavaScript; the tab that looks like a login page for any number of commonly used websites like Facebook or Gmail, banking websites or corporate Web portals, and is used to capture login credentials. Tabnabbing relies on users having multiple browser tabs open at the same time, logging into a service, then either logging out of that service or being logged out automatically after a period of inactivity. The idea is that the user would want to log in again, and attempt to log in using the false Web page, which would then steal the user's credentials.

The best enterprise tabnapping defense is to keep Web browsers up to date. Using antimalware software and an antimalware network device to block malicious webpages will also help mitigate the risk of attack.

Additionally, security awareness trainings should include that employees must review the URL bar prior to entering credentials into a webpage. However, it is difficult to always check the URL bar -- especially on mobile devices -- so an enterprise may want to specifically brand its login portals to help employees quickly distinguish a legitimate login page from a malicious one.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)