Networking / Beginners

Web Spoofing

Web spoofing is a means of tricking users to connect to a different Web server than they intended. Web spoofing may be done in a number of ways. It can be done by simply providing a link to a fraudulent Web site that looks legitimate, or involve more complex attacks in which the user's request or Web pages requested by the user are intercepted and altered.

One of the more complex methods of Web spoofing involves an attacker that is able to see and make changes to Web pages that are transmitted to or from another computer (the target machine).These pages can include confidential information such as credit card numbers entered into online commerce forms and passwords that are used to access restricted Web sites.The changes are not made to the actual Web pages on their original servers, but to the copies of those pages that the spoofer returns to the Web client who made the request.

The term spoofing refers to impersonation, or pretending to be someone or something you are not.Web spoofing involves creating a "shadow copy" of a Web site or even the entire Web of servers at a specific site. JavaScript can be used to route Web pages and information through the attacker's computer, which impersonates the destination Web server.The attacker can initiate the spoof by sending e-mail to the victim that contains a link to the forged page or putting a link into a popular search engine.

SSL does not necessarily prevent this sort of "man-in-the-middle" (MITM) attack; the connection appears to the victim user to be secure because it is secure.The problem is that the secure connection is to a different site than the one to which the victim thinks they are connecting. Although many modern browsers will indicate a problem with the SSL certificate not matching, hyperlink spoofing exploits the fact that SSL does not verify hyperlinks that the user follows, so if a user gets to a site by following a link, they can be sent to a spoofed site that appears to be a legitimate site.

NOTE Later versions of browser software have been modified to make Web spoofing more difficult. However, many people are still using IE or Netscape versions 3, both of which are highly vulnerable to this type of attack. For more technical details about Web and hyperlink spoofing.

Web spoofing is a high-tech form of con artistry, and is also often referred to as phishing.The point of the scam is to fool users into giving confidential information such as credit card numbers, bank account numbers, or Social Security numbers to an entity that the user thinks is legitimate, and then using that information for criminal purposes such as identity theft or credit card fraud.The only difference between this and the "real-world" con artist who knocks on a victim's door and pretends to be from the bank, requiring account information, is in the technology used to pull it off.

There are clues that will tip off an observant victim that a Web site is not what it appears to be, such as the URL or status line of the browser. However, an attacker can use JavaScript to cover their tracks by modifying these elements. An attacker can even go so far as to use JavaScript to replace the browser's menu bar with one that looks the same but replaces functions that provide clues to the invalidity of the page, such as the display of the page's source code.

Newer versions of Web browsers have been modified to make Web spoofing more difficult. For example, prior to version 4 of Netscape and IE, both were highly vulnerable to this type of attack.A common method of spoofing URLs involved exploiting the ways in which browsers read addresses entered into the address field. For example, anything on the left side of an @ sign in a URL would be ignored, and the % sign is ignored. Additionally, URLs do not have to be in the familiar format of a DNS name; they are also recognized when entered as an IP address in decimal format (such as 216.238.8.44), hexadecimal format (such as D8.EE.8.2C), or in Unicode. Thus, a spoofer can send an e-mailed link such as www.paypal.com@%77%77%77.%61% 7A.%72%75/%70%70%64," which to the casual user appears to be a link to the PayPal Web site. However, it is really a link (an IP address in hex format) to the spoofer's own server, which in this case was a site in Russia.The spoofer's site was designed to look like PayPal's site, with form fields requiring that the user enter their PayPal account information.This information was collected by the spoofer and could then be used to charge purchases to the victim's PayPal account.This site packed a double whammy-it also ran a script that attempted to download malicious code to the user's computer. Because URLs containing the @ symbol are no longer accepted in major browsers today, entering the URL in browsers like IE 7 produces an error. Unfortunately, this exploit allowed many people to be fooled by this method and fall victim to the site, and there is no reason why someone simply couldn't use a link in hexadecimal format today to continue fooling users.

The best method of combating such types of attacks involves education. It is important that administrators educate users to beware of bogus URLs, and to look at the URL they are visiting in the Address bar of the browser. Most importantly, they should avoid visiting sites that they receive in e-mails, unless it is a site they are familiar with. It is always wiser to enter addresses like www.paypal.com directly into the address bar of a browser than following a link on an e-mail that is indecipherable and/or may or may not be legitimate.

Even though the site appeared to be legitimate at first glance, reading the information made visitors realize that the site was a spoof in its truest form.The features of the bogus browser claimed to download pornography up to 10 times faster, tabbed browsing that allows a user to switch from one Microsoft site to another, and the feature of shutting down unexpectedly when visiting sites like Google, iTunes, Apple, and so forth. While the site appears as nothing more than a parody of Microsoft, it shows how simple it is to create a site that can fool (no matter how briefly) users into thinking they're visiting a site belonging to someone else.

Web Spoofing Pranks

Not all Web spoofs are malicious. In early 2007, Web sites appeared on the Internet informing visitors that Microsoft had purchased Firefox, and was going to rename the browser Microsoft Firefox 2007 Professional Edition. Two sites (www.msfirefox.com and www.msfirefox.net) appeared to be actual sites belonging to Microsoft. However, upon attempting to download a version of the browser at www.msfirefox.com, the user was redirected to Microsoft's site to download IE 7. When attempting to download from www.msfirefox.net, a copy of Mozilla's Firefox was downloaded.

[Previous] [Contents] [Next]

In this tutorial:

  1. Web Based Services Security
  2. Web Security
  3. Managing Access Control
  4. Handling Directory and Data Structures
  5. Eliminating Scripting Vulnerabilities
  6. Logging Activity
  7. Finding Rogue Web Servers
  8. Stopping Browser Exploits
  9. Web Spoofing
  10. Web Server Exploits
  11. SSL and HTTP/S
  12. HTTP/S
  13. Instant Messaging
  14. Text Messaging and Short Message Service (SMS)
  15. Web-based Vulnerabilities
  16. ActiveX
  17. Dangers Associated with Using ActiveX
  18. Protection at the Network Level
  19. JavaScript
  20. Programming Secure Scripts
  21. Understanding Code Signing
  22. Buffer Overflows
  23. Making Browsers and E-mail Clients More Secure
  24. Securing Web Browser Software
  25. CGI
  26. Resulting from Weak CGI Scripts
  27. FTP Security
  28. Secure Copy
  29. FTP Sharing and Vulnerabilities
  30. Directory Services and LDAP Security
  31. LDAP
  32. Securing LDAP