PiChris - Fotolia

Get started Bring yourself up to speed with our introductory content.

Login credential security: How to defend against tabnapping

Tabnapping can be used to capture user login credentials. Enterprise threats expert Nick Lewis explains how to defend against the risk.

I heard about a phishing technique called "tabnapping." What is it, and what are the best enterprise defenses against it?

Tabnapping was first discovered in 2010. It allows an attacker to open a browser tab in the background using JavaScript; the tab that looks like a login page for any number of commonly used websites like Facebook or Gmail, banking websites or corporate Web portals, and is used to capture login credentials. Tabnabbing relies on users having multiple browser tabs open at the same time, logging into a service, then either logging out of that service or being logged out automatically after a period of inactivity. The idea is that the user would want to log in again, and attempt to log in using the false Web page, which would then steal the user's credentials.

The best enterprise tabnapping defense is to keep Web browsers up to date. Using antimalware software and an antimalware network device to block malicious webpages will also help mitigate the risk of attack.

Additionally, security awareness trainings should include that employees must review the URL bar prior to entering credentials into a webpage. However, it is difficult to always check the URL bar -- especially on mobile devices -- so an enterprise may want to specifically brand its login portals to help employees quickly distinguish a legitimate login page from a malicious one.

Ask the Expert!
Perplexed about enterprise security? Send Nick Lewis your questions today! (All questions are anonymous.)

Next Steps

Learn how to prevent phishing attacks with social engineering tests

Don't miss the latest security awareness training tips and advice

This was last published in March 2015

Dig Deeper on Email and Messaging Threats-Information Security Threats