Académique Documents
Professionnel Documents
Culture Documents
ABSTRACT
The web spoofing describes an Internet security attack that could endanger
the privacy of World Wide Web users and the integrity of their data. The attack can be
carried out on today's systems, endangering users of the most common Web browsers.
Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide
Web. Accesses to the shadow Web are funneled through the attacker’s
machine, allowing the attacker to monitor all of the victim's activities including any
passwords or account numbers the victim enters. The attacker can also cause false or
misleading data to be sent to Web servers in the victim's name, or to the victim in the
name of any Web server. In short, the attacker observes and controls everything the
victim does on the Web. First, the attacker causes a browser window to be
created on the victim's machine, with some of the normal status and menu information
replaced by identical-looking components supplied by the attacker. Then, the attacker
causes all Web pages destined for the victim's machine to be routed through the
attacker's server. On the attacker’s server, the pages are rewritten in such a way that their
appearance does not change at all, but any actions taken by the victim would be logged
by the attacker. In addition, any attempt by the victim to load a new page would cause the
newly-loaded page to be routed through the attacker's server, so the attack would
continue on the new page.
1
Web Spoofing
1. INTRODUCTION
2
Web Spoofing
2. PREVIOUS WORKS
3
Web Spoofing
3.TYPES OF SPOOFING
3.1 IP spoofing:
4
Web Spoofing
– Implicating someone
– Trick someone into making a damaging statement or releasing sensitive information
Note that anonymous email can be sent using an anonymous remailer (spam vehicles)
•Web spoofing is tricking someone into visiting a web site other than the one they intend
to and mimicking the intended site.
URL spoofing deals with the different ways of making a spoofed site URL resemble
a genuine site URL. In doing so, the attacker may have a better chance at succeeding,
especially with inexperienced users who are unfamiliar with phishing. Another way of
masking the URL is done by including a user name and password. Web servers that
require authentication may be accessed using the URL string format
username:password@domain.com. User name and passwords in URLs may be used
regardless of whether the web server enforces this or not. The information is simply
ignored if not. User names are not limited to just letters and numbers, so for instance
www.paypal.com could very much be a valid choice. Consequently, an attacker
could construct a URL such as http://www.paypal.com:80@192.168.0.1/ where
www.paypal.com is the user name, 80 is the password, and 192.168.0.1 is the malicious
site. It is also possible to omit the password completely. The method is, however,
5
Web Spoofing
not as much used anymore as browsers now notify when a user name and password
in the URL is used (and that a phishing attempt could take place).
6
Web Spoofing
DNS server. As DNS queries are usually submitted over UDP, servers cannot rely on the
transport protocol to maintain state of the DNS connection. Therefore, in order to match a
response with a query, DNS servers include a numeric query ID in the DNS payload. If
the attacker can predict the query ID, it is possible to craft a spoofed response before a
real response is returned to the DNS server. The DNS usually believes the first response
it receives, and discards any additional responses which then are considered duplicates.
Consequently, anyone who looks up the spoofed domain record will be redirected to the
attacker’s site.
Another way of performing a DNS cache poisoning attack, can be
done on the victim’s computer. Every system has a host file in its system directory used
to associate host names with IP addresses. This is actually the job of a DNS server, but by
adding records to the hosts file, one may hard code domain name translations and redirect
users to different sites. The hosts file is located in %SystemRoot%\system32\ drivers\etc
in the Windows environment, and may also be found under /etc in UNIX- based systems.
Each line in the hosts file represents an entry. The first column specifies the IP address
followed by the corresponding host name. Most systems map localhost to the loopback
address as shown below.
127.0.0.1 localhost Normally, when you attempt to access domain.com, a request is sent
to a DNS server the find out the IP address for that domain name. Once this has been
done, the HTTP request is forwarded to the proper web server. However, if we were to
insert a custom entry for domain.com in the hosts file, the request would be forwarded to
this address instead. 127.0.0.1 localhost 192.168.0.2 domain.com An attacker could use
this method to direct users to a web site that he or she controls, even if the victim types
http://domain.com in the address bar of the web browser.
7
Web Spoofing
8
Web Spoofing
on the gap between the intentions and expectations of the user, and the address
and security mechanism specified by the browser to the transport layer.
9
Web Spoofing
• In a spoofing attack, the attacker creates misleading context in order to trick the
victim into making an inappropriate security-relevant decision. A spoofing attack
is like a con game: the attacker sets up a false but convincing world around the
victim. The victim does something that would be appropriate if the false world
were real. Unfortunately, activities that seem reasonable in the false world may
have disastrous effects in the real world.
• Spoofing attacks are possible in the physical world as well as the electronic one.
For example, there have been several incidents in which criminals set up bogus
automated-teller machines, typically in the public areas of shopping malls . The
machines would accept ATM cards and ask the person to enter their PIN code.
Once the machine had the victim's PIN, it could either eat the card or
"malfunction" and return the card. In either case, the criminals had enough
information to copy the victim's card and use the duplicate. In these attacks,
people were fooled by the context they saw: the location of the machines, their
size and weight, the way they were decorated, and the appearance of their
electronic displays.
• People using computer systems often make security-relevant decisions based on
contextual cues they see. For example, you might decide to type in your bank
account number because you believe you are visiting your bank's Web page. This
belief might arise because the page has a familiar look, because the bank's URL
appears in the browser's location line, or for some other reason.
• To appreciate the range and severity of possible spoofing attacks, we must look
more deeply into two parts of the definition of spoofing: security- relevant
decisions and context.
10
Web Spoofing
11
Web Spoofing
12
Web Spoofing
using the https protocol in the URL). Finally, the browser presents the page to the user
(step 1b). If we did Not use SSL, an intercepting adversary could attack all three pairs of
steps in this process, as follows:
1.Trick the user into requesting the spoofed web site in step 1a, and/or into using
http rather than https, i.e. not protect the request and response using SSL.
2. Return an incorrect IP address for the web server in step 2b. This can be done by
exploiting one of the known weaknesses of the DNS protocol and/or of (many) DNS
servers. A typical example is DNS cache poisoning (`pushing` false domain IP
mappings to the cache of DNS servers).
3. Intercept (capture) the request in step 3a (sent to the right IP address) and return a
response in step 3b from the spoofed site. The third attack requires the adversary to
intercept messages, which is relatively hard (requires `man in the middle`, intercepting
adversary). The second attack requires defeating DNS security, which is often possible,
but may be difficult (except for an intercepting adversary). Hence, most spoofing attacks
against SSL/TLS protected web sites focus on the first attack, i.e. tricking the user into
requesting the spoofed web site and/or into using an insecure connection (without SSL)
rather than an SSL-protected connection.
Most web-spoofing attacks, however, use methods which do not
require either interception of messages to `honest` web sites, or corruption of servers or
of the DNS response; these methods work even for the weak `unallocated domain`
adversary. One method is URL redirection, due to Felten et al. [FB*97]. This attack
begins when the user accesses any `malicious` web site controlled by the attacker, e.g.
containing some content; this is the parallel of a Trojan software, except that users are
less cautious about approaching untrusted web sites, as browsers are supposed to remain
secure. The attack works if the user continues surfing by following different links from
this malicious site. The site provides modified versions of the requested pages, where all
links invoke the malicious site, which redirects the queries to their intended target.
This allows the malicious site to continue inspecting and modifying requests and
responses without the user noticing, as long as the user follows links. However, this
attack requires the attacker to attract the user to the malicious web site. In practice,
13
Web Spoofing
attackers usually use an even easier method to direct the user to the spoofed site:
phishing spoofing attacks, usually using spam e-mail messages. In Figure 4 we
describe the process of typical phishing attack used to lure the user into a spoofed web
site.
The adversary first buys some unallocated domain name, often related to the name of
the target, victim web site. Then, the adversary sends spam (unsolicited e- mail) to many
users; this spam contains a `phishing bait message`, luring the user to follow a link
embedded in the bait message. The mail message is a forgery: its source address is of the
victim entity, e.g. a bank that the user uses (or may use), and its contents attempt to
coerce the user into following a link in the message, supposedly to the victim
organization, but actually to the phishing site. If the victim entity signs all its e-mail, e.g.
using S/MIME or PGP [Z95], then our techniques (described later on) could allow the
user to detect this
fraud. However, currently only a tiny fraction of the organizations signs outgoing e- mail,
therefore, this is not an option, and many naïve users may click on the link in the
message, supposedly to an important service from the victim entity. The link actually
connects the users to the spoofed web site, emulating the site of the victim entity, where
the user provides information useful to the attacker, such as credit card number, name, e-
14
Web Spoofing
mail addresses, and other information. The attacker stores the information in some `stolen
information` database; among other usages, he also uses the credit card number to
purchase additional domains, and the e-mail addresses and name to create more
convincing spam messages (e.g. to friends of this user).Currently most phishing attacks
lure the users by using spam (unsolicited, undesirable e-mail), as described above.
However, we define phishing spoofing attack as (any method of) luring the user into
directing his browser to approach a spoofed web site. For example, an attacker could use
banner-ads or other ads to lure users to the spoofed site. We believe spam is the main
phishing tool simply since currently spam is extremely cheap and hard to trace back to
the attacker. Spamming is causing many other damages, in particular waste of human
time and attention, and of computer resources. Currently, the most common protection
against spam appears to be content based filtering; however, since phishing attacks
emulate valid e-mail from (financial) service providers, we expect it to pass content-
based filtering. Proposals for controlling and preventing spam, e.g. [CSRI04, He04], may
also help to prevent or at least reduce spam-based phishing. Most phishing spoofing
attacks require only an unallocated web address and server, but do not require
intercepting (HTTP) requests of the user; therefore, even weak attackers can deploy them.
This may explain their popularity . This means that the domain name used in the phishing
attack is different from the domain name of the victim organization.
15
Web Spoofing
The status line is a single line of text at the bottom of the browser
window that displays various messages, typically about the status of pending Web
transfers. The attack as described so far leaves two kinds of evidence on the status line.
First, when the mouse is held over a Web link, the status line displays the URL the link
points to. Thus, the victim might notice that a URL has been rewritten. Second, when a
page is being fetched, the status line briefly displays the name of the server being
contacted. Thus, the victim might notice that http://www.attacker.org is displayed when
some other name was expected. The attacker can cover up both of these cues by adding a
JavaScript program to every rewritten page. Since JavaScript programs can write to the
status line, and since it is possible to bind JavaScript actions to the relevant events, the
attacker can arrange things so that the status line participates in the con game, always
showing the victim what would have been on the status line in the real Web. Thus the
spoofed context becomes even more convincing.
16
Web Spoofing
The browser's location line displays the URL of the page currently
being shown. The victim can also type a URL into the location line, sending the browser
to that URL. The attack as described so far causes a rewritten URL to appear in the
location line, giving the victim a possible indication that an attack is in progress. This
clue can be hidden using JavaScript. A JavaScript program can hide the real location line
and replace it by a fake location line which looks right and is in the expected place. The
fake location line can show the URL the victim expects to see. The fake location line can
also accept keyboard input, allowing the victim to type in URLs normally. Typed-in
URLs can be rewritten by the JavaScript program before being accessed.
There is one clue that the attacker cannot eliminate, but it is very
unlikely to be noticed. By using the browser's "view source" feature, the victim can look
at the HTML source for the currently displayed page. By looking for rewritten URLs in
the HTML source, the victim can spot the attack. Unfortunately, HTML source is hard
for novice users to read, and very few Web surfers bother to look at the HTML source for
documents they are visiting, so this provides very little protection. A related clue is
available if the victim chooses the browser's "view document information" menu item.
This will display information including the document's real URL, possibly allowing the
victim to notice the attack. As above, this option is almost never used so it is very
unlikely that it will provide much protection.
17
Web Spoofing
9. COUNTERMEASURES
9.1 Disable JavaScript. Known Web spoofing techniuqes depend mostly on JavaScript.
If the user disables browsers JavaScript, he will deny this attack. However, modern web
pages rely on JavaScript so much that many feel disabling it is impractical for general
Web surfing (although one of authors does this anyway). Users should also take care that
a browser’s “disable JavaScript” option actually disables JavaScript; an author personally
encountered a Netscape platform that ignored the user’s option.
9.2 Customization. Tygar and Whitten suggested customization as a countermeasure
against Trojan Horse applets. Customization of browsers setting is also an effective way
to enable users to detect Web spoofing. Although unsigned JavaScript can detect the
platform and browser which the client is using, we do not yet know how to use it to
detect the detailed window setting which may affect the browser display. The browser
Opera has more customizable interface than other browers. From this point of view,
Opera is more secure than other browsers.
9.3 Disable pop-up windows. Disabling pop-up window can stop web spoofing from
opening a new window completely controlled by attacker. Unfortunately, disable pop-up
only implemented as an option in browser Konqueror, which comes with KDE 2.0, only
for Linux. However, one lesson from our work is that browser-server interaction is such a
rich space that one should be cautious about asserting any particular barrier can render
certain behaviors impossible—especially since the behavior in question is not “what
happens in the platform” but rather “what the appears to be happening, to the user.”
9.4 Long-term solutions. Our initial motivation was not to attack but to defend:
o “build a better browser” that, for example, could clearly indicate security attributes of a
server (and so enable clients to securely use our serverhardening techniques [14, 15, 19]).
None of above solutions are strong enough to be a general solution for preventing web
spoofing. A ideal browser should be a platform which can enable all the modern web
18
Web Spoofing
techniques to be full functional, and at the same time supply unspoofable features to
indicate the communication security.
10. FUTURE SPOOFING WORK
Our fake Web pages are not perfect. In our demonstration, we only
implement enough to prove the concept; however, as noted earlier, we are not yet able to
forge some aspects of legitimate browser behavior:
_ Creating convincing editable location lines appears to depend on the user’ preferences,
which we cannot yet learn. Either we gamble, or we do not have editable lines.
_ We cannot yet obtain the user’s genuine history information for the pull down history
options.
_ If the user resizes our fake Netscape windows, the content will not behave as expected.
19
Web Spoofing
11. IMPLICATIONS
We are also examining the de facto semantics that current browsers offer for certificate
handling for various devious but legal sessions
20
Web Spoofing
12. CONCLUSION
21
Web Spoofing
2 Always contact sensitive web sites by typing their address in the location bar,
using a bookmark or following a link from a secure site, preferably protected by
SSL/TLS.
4 Be very careful to inspect the location bar and the SSL icon upon entering to
sensitive web pages. Preferably, set up your browser to display the details of the
certificate upon entering your most sensitive sites (most browsers can do this); this
will help you notice the use of SSL and avoid most attacks. Do not trust indications of
security and of the use of SSL when they appear as part of the web page, even when
this page belongs to trustworthy organizations; see the examples of insecure login
pages in Figure 5, by respectable financial institutions and e-commerce sites.
22
Web Spoofing
often even software developers. We believe that such entities should seriously
consider one of the following solutions:
2 Use means of authenticating transactions that are not vulnerable to web spoofing.
In particular, `challenge-response` and similar one-time user authentication solutions can
be effective against offline spoofing attacks (but may still fail against a determined
attacker who is spoofing your web site actively in a `man in the middle` attack). Using
SSL client authentication can be even more effective, and avoid the hardware token (but
may be more complex and less convenient to the user).
4 Use cookies to personalize the main web page of each customer, e.g. include
personal greeting by name and/or by a personalized mark/picture (e.g. see [PM04]). Also,
warn users against using the page if the personal greeting is absent. This will foil many
of the phishing attacks, which will be unable to present personalized pages. We also
recommend that site owners are careful to educate consumers on the secure web and e-
23
Web Spoofing
mail usage guidelines, including these mentioned above, as well as educate them on the
structure of domain name and how to identify their corporate domains. This may include
restricting corporate domains to only these that end with a clear corporate identity.
13. REFERENCE
24