Tabnapping/Tabnabbing Phishing Scam Technique

I came across this phishing scam tactic on a news board recently and thought it was quite interesting.  Basically how it works is that criminals know that people browse the internet these days with multiple tabs open at the same time (yay for multitasking!).  Many times people would have sensitive websites opened in their inactive tabs [bank website, personal email account (Gmail), or social networking site (Facebook)] while browsing other sites in other tabs.  A person may lose track of the websites in each tab and become vulnerable when an inactive tab changes to a phishing site designed to look like one of their sensitive websites.

As a simple example, a person wanders onto a malicious site, he or she then decides to go to another tab to browse something else, in the background that malicious site turns into a fake Gmail site.  When the user returns back to the other tab, he or she may not realize that the Gmail site in the tab isn’t a real Gmail site, and if the user is the type of person who traditionally has his or her Gmail up in an inactive tab while browsing, they may not have any reservation to retype their username/password into the fake Gmail site when prompted due to inactivity.

More about this phishing tactic and how to prevent it here.

Short proof-of-concept video.

This leads me to think, is it possible for one tab to interact with another tab?  I don’t believe so, and I remember reading specifically that Chrome was developed in such a way that each tab is extremely independent from one another.  A site can crash in one tab without taking down the whole browser.  I could be mistaken on this.  But if there’s a vulnerability where one tab can interact and steal data from another tab, that could be disastrous.