Named with a nod to the word "kidnapping", Brian Krebs details a nifty new exploit that's bound to make it's way to your browser sooner or later. This new phishing exploit relies on user inattention and your trust in browser tabs, and is likely to fool even the most security-savvy web surfers.
Mozilla Firefox creative lead Aza Raskin describes it like this: a user has multiple tabs open and surfs to an infected site. The site that uses special javacript code to silently alter the contents of a tabbed page along with the information displayed on the tab itself. When the user switches back to that tab it appears to be the login page for a site the user normally visits. But it's not.
For example, you have several tabs open, and one of the sites you visit has been infected with this exploit. After you leave that tab, the exploit does its work, switching the tab (for example) to a fake Gmail site. As you scan your open tabs, the favicon and title act as a strong visual cue, and you'll most likely simply think you left a Gmail tab open.
When you click back to the fake Gmail tab, you’ll see the standard Gmail login page, assume you’ve been logged out, and you'll provide you credentials to log in. Raskin continues, “After the user has entered their login information and sent it back your server, you redirect them to Gmail. Because they were never logged out in the first place, it will appear as if the login was successful.”
Raskin includes a proof-of-concept at his site, which is more than a little scary when you let it run. Load the page, click away to another tab for 5 seconds, and come back. You'll be looking at what what appears to be the Gmail login page.