Tabnabbing steals your personal information

CLEVELAND - There's a new way hackers are stealing your personal information. This attack is so sophisticated you may be a victim and have no idea.

Phishing scams are nothing new. They come through email and text message when someone is “phishing” for your personal information. Typically, you’re told the IRS or your bank needs you to update your information. When you click on the hyperlink, you’re taken to a site other than your bank or IRS.

Tabnabbing is a new version of a phishing scheme. It happens when you’re browsing the Internet with several tabs or websites open.

Hackers steal one of your tabs while you're looking at a different tab.

"It's going to change into something that person may be familiar with-- a Gmail login, Facebook login, or Twitter account,” security consultant Tom Eston explained.

The hackers use popular websites to fool you into thinking they were already open.

If you sign in, consumers are re-directed to the legitimate Facebook or Twitter page. It makes you think your first login attempt failed, but really you've been tab-nabbed.

Security professionals, like Eston, use programs similar to the ones hackers create so they can simulate attacks for companies to see if the company and its users are vulnerable.

Eston used his tools to simulate a tabnabbing attack. He cloned a Twitter website, and then entered credentials. He used "test account" as the username and "password" as the password.

Seconds later, that username and password appeared on the program Eston was running.

"On my screen now I see here's the test account and here's the password I just collected," Eston said.

Hackers then use your credentials to access your other accounts, or they sell the info.

Phishing schemes wreak havoc

"They make money. It's a biz. It's a criminal industry," Thomas Siu, Case Western Reserve University's Chief Information Security Officer explained.

At Case, a user recently fell for a phishing scheme and it impacted the whole campus.

"Probably four minutes after they'd given it up, the attackers were sending spam through our system," Siu explained.

The hackers use the spam to phish for more information.

Case added new security features after the attack, but it feels education is the best defense because the schemes constantly change.

"A person armed with information who knows how to act is way better protected than any system you can develop,” Siu said.

How to protect yourself

To protect yourself, check the URL before you enter any personal information.

"Most of these sites will look strange,” Siu said.

The cloning software Eston used, made his Twitter u-r-l a series of numbers. It's obviously not twitter-dot-com.

Secondly, don't use the same password for every website.

Many consumers find it difficult to remember all their passwords. You can download third party password programs that remember all your login information and give you passwords that are difficult to hack.

Many broswers now offer to store your passwords for you, but Eston doesn't recommend this. He prefers the third party encryption services.

Eston likes to use KeePass .  It's a free program.

To see how tabnabbing works, click on Aza Raskin's blog and your tabs will switch before your eyes.

You should also download the latest browsers so you use a system that has security updates to thwart the latest attack.

Many websites also use a security icon or "s" next to http to indicate the site is secure. That's not always accurate, but it's a good thing to check when you're browsing. The best layer of defense is to click on the security certificate to make sure it's legitimate.  Some browsers are making that easy to do by highlighting that certificate right next to the web address.