A

PAPER PRESENTATION
ON

Web Spoofing

Presented by: Guided

by:
Miss. Neha C. Gaopande Prof.A.D.
Raut
(Final Year,IT)

JAWAHARLAL DARDA INSTITUTE OF

ENGINEERING
AND TECHNOLOGY, YAVATMAL

1
 ABSTRACT

The web spoofing describes an Internet security attack that

could endanger the privacy of World Wide Web users and the integrity
of their data. The attack can be carried out on today's systems,
endangering users of the most common Web browsers. Web spoofing
allows an attacker to create a "shadow copy" of the entire World Wide
Web. Accesses to the shadow Web are funneled through the attacker's
machine, allowing the attacker to monitor all of the victim's activities
including any passwords or account numbers the victim enters. The
attacker can also cause false or misleading data to be sent to Web
servers in the victim's name, or to the victim in the name of any Web
server. In short, the attacker observes and controls everything the
victim does on the Web. First, the attacker causes a browser window to
be created on the victim's machine, with some of the normal status
and menu information replaced by identical-looking components
supplied by the attacker. Then, the attacker causes all Web pages
destined for the victim's machine to be routed through the attacker's
server. On the attacker's server, the pages are rewritten in such a way
that their appearance does not change at all, but any actions taken by
the victim would be logged by the attacker. In addition, any attempt by
the victim to load a new page would cause the newly-loaded page to
be routed through the attacker's server, so the attack would continue
on the new page.

2
 Table of contents

Title Page

1. Abstract
2. Introduction
3. Previous works
4. What is web spoofing?
5. How does the attack works?
6. Threat models and attacks
6.1 Spoofing the whole page
6.2 Types of Spoofing
7 Completing the illusion
7.1 Status Line
7.2 Location Bar
7.3 Viewing the document source
8 Anti spoofing
8.1 Short term solutions
8.2 Long term solutions
9 Future spoofing works
10 Conclusion
11 References

3
 1.INTRODUCTION

Web Spoofing is a security attack that allows an adversary to observe and modify all
web pages sent to the victim's machine, and observe all information entered into forms by
the victim. Web Spoofing works on both of the major browsers and is not prevented by
"secure" connections. The attacker can observe and modify all web pages and form
submissions, even when the browser's "secure connection" indicator is lit. The user sees
no indication that anything is wrong.

The attack is implemented using JavaScript and Web server plug-ins, and works in two
parts. First, the attacker causes a browser window to be created on the victim's machine,
with some of the normal status and menu information replaced by identical- looking
components supplied by the attacker. Then, the attacker causes all Web pages destined
for the victim's machine to be routed through the attacker's server. On the attacker's
server, the pages are rewritten in such a way that their appearance does not change at all,
but any actions taken by the victim (such as clicking on a link) would be logged by the
attacker. In addition, any attempt by the victim to load a new page would cause the
newly-loaded page to be routed through the attacker's server, so the attack would
continue on the new page.The attack is initiated when the victim visits a malicious Web

4
page, or receives a malicious email message (if the victim uses an HTML-enabled email
reader).

2.PREVIOUS WORKS

As early as 1996, Felten et al at Princeton [8] originated the term web

spoofing and explored spoofing attacks on Netscape Navigator and
Microsoft Internet Explorer that allowed an attacker to create a
“shadow copy” of the true web. When the victim accesses the shadow
Web through the attacker’s servers, the attacker can monitor all of the
victim’s activities and get or modify the information the victim enters,
including passwords or credit card numbers. Source code is not
available; according to the paper, the attack used JavaScript to rewrite
the hyperlink information shown on the status bar; to hide the real
location bar and replace it with a fake one that also accept keyboard
input, allowing the victim to type in URLs normally (which then get
rewritten to go the attacker’s machine); and to replace the Document
Source button the menu bar (to show the source the victim expects,
not the real source).Apparently unable to spoof the SSL icon, the
Princeton attack spoofed SSL by having the user open a real SSL
session to the attacker’s machine.

5
In 1996, Tygar and Whitten from CMU [20] demonstrated how a Java
applet or similar remote execution can be used as a trojan horse. The
Java applet could be inserted into a client machine through a bogus
remote page and pop up a dialog window similar to the true login
windows. With the active textfield on the top of the image, the Trojan
horse applet would capture the keyboard input and transfer them to
attacker’s machine. Tygar and Whitten also gave a way to prevent
these attack: window personalization.

3. WHAT IS WEB SPOOFING?

Web spoofing is a kind of electronic con game in which the attacker creates a
convincing but false copy of the entire World Wide Web. The false Web looks just like
the real one: it has all the same pages and links. However, the attacker controls the false
Web, so that all network traffic between the victim's browser and the Web goes through
the attacker.
Consequences Since the attacker can observe or modify any data going from
the victim to Web servers, as well as controlling all return traffic from Web servers to the
victim, the attacker has many possibilities. These include surveillance and tampering. In
Surveillance, the attacker can passively watch the traffic, recording which pages the
victim visits and the contents of those pages. When the victim fills out a form, the entered
data is transmitted to a Web server, so the attacker can record that too, along with the
response sent back by the server. The attacker can carry out surveillance even if the
victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is,
even if the victim's browser shows the secure-connection icon (usually an image of a lock
or a key) tampering. The attacker is also free to modify any of the data traveling in either

6
direction between the victim and the Web. The attacker can modify form data submitted
by the victim.

3.1 HOW DOES THE ATTACK WORKS ?

7
The first vulnerability is due to the validation that the server's public
key, which SSL obtains from the server’s certificate, belongs to the site
with the given location (URL). This validation is the responsibility of the
application (e.g browser) and not part of the SSL specifications; SSL
merely passes the server’s certificate to the application. Currently,
browsers are vulnerable to the false certificate attack. Therefore, the
adversary has the matching private key and can pass SSL server
authentication for the victim web page. In the current design of
browsers, the user is responsible to validate the authenticity of web
sites, by noting relevant status areas in the browser user interface. The
relevant status areas are the location bar, containing the URL
(Universal Resource Locator), and the SSL indicator (typically, as open
lock for insecure sites, closed lock for SSL protected sites). We are
mostly interested in the web spoofing attack, which exploits this
vulnerability, by directing the browser to an adversary-controlled clone
site that resembles the original, victim site, which the user wanted to
access. Web spoofing attacks are very common, and are the most
severe threat to secure e-commerce currently.

8
The process begins when the user selects the web site, by entering its
location (URL) or by invoking a bookmark or link, e.g. in an e-mail
message. The browser, or the underlying transport layer, then sends
the name of the domain of the site, e.g. xxx.com, to a Domain Name
Server . The Domain Name Server returns the IP address of the site.
Now, the client sends an HTTP request to the site, using the IP address
of the site , and receives the HTTP response containing the web page ,
these two steps are protected by SSL, if the URL indicates the use of
SSL (by using the https protocol in the URL). Finally, the browser
presents the page to the user . If we did not use SSL, an intercepting
adversary could attack all three
pairs of steps in this process, as follows:
1. Trick the user into requesting the spoofed web site in step 1a,
and/or into using http rather than https, i.e. not protect the request
and response using SSL.

9
2. Return an incorrect IP address for the web server in step 2b. This
can be done
by exploiting one of the known weaknesses of the DNS protocol and/or
of (many)
DNS servers. A typical example is DNS cache poisoning (`pushing`
false domain IP mappings to the cache of DNS servers).
3. Intercept (capture) the request in step 3a (sent to the right IP
address) and
return a response in step 3b from the spoofed site.

3.2 THREAT MODELS AND ATTACKS

The initial design of Internet and Web protocols assumed benign environment,
where servers, clients and routers cooperate and follow the standard protocols, except for
unintentional errors. In particular, since currently Internet access is widely available, it is
very easy for attackers to obtain many client and even host connections and addresses,
and use them to launch different attacks on the network itself and on other hosts and
clients. In particular, with the proliferation of commercial domain name registrars
allowing automated, low-cost registration in most top level domains, it is currently very
easy for attackers to acquire essentially any unallocated domain name, and place there
malicious hosts and clients. We call this the unallocated domain adversary : an adversary
who is able to issue and receive messages using many addresses in any domain name,
excluding the finite list of already allocated domain names. This is probably the most
basic and common type of adversary. The sensitive web sites are usually protected using
the SSL protocols. Intercepting adversaries are able to send and intercept messages to
and from all domains. Indeed, even without SSL, the HTTP protocol securely
authenticates web pages against spoofing adversaries, which are able to send messages
from all domains, but receive only messages sent to unallocated domains. However, the
security by SSL/TLS is only with respect to the address (URL) and security mechanism
requested by the application

10
 4. SPOOFING THE WHOLE PAGE:
Whole spoofed page

In a spoofing attack, the attacker creates misleading context in order to trick the
victim into making an inappropriate security-relevant decision. A spoofing attack is like
a con game: the attacker sets up a false but convincing world around the victim. The
victim does something that would be appropriate if the false world were real.
Unfortunately, activities that seem reasonable in the false world may have disastrous
effects in the real world. Spoofing attacks are possible in the physical world as well as
the electronic one. People using computer systems often make security-relevant decisions
based on contextual cues they see. For example, you might decide to type in your bank
account number because you believe you are visiting your bank's Web page. This belief
might arise because the page has a familiar look, because the bank's URL appears in the
browser's location line, or for some other reason. To appreciate the range and severity of
possible spoofing attacks, we must look more deeply into two parts of the definition of
spoofing: security-relevant decisions and context

11
In a spoofing attack, the attacker creates misleading context in order to trick the victim
into making an inappropriate security-relevant decision. A spoofing attack is like a con
game: the attacker sets up a false but convincing world around the victim. The victim
does something that would be appropriate if the false world were real. Unfortunately,
activities that seem reasonable in the false world may have disastrous effects in the real
world.

12
 5. TYPES OF SPOOFING

There are different types of spoofing are

 Email spoofing ,
 IP spoofing, etc.

IP spoofing:

Attacker uses IP address of another computer to acquire information or gain access.

IP spoofing is the creation of TCP/IP packets with somebody else's IP address in the
header.
 Routers use the destination IP address to forward packets, but ignore the source
IP address.
 The source IP address is used only by the destination machine, when it responds
back to the source.
 When an attacker spoofs someone’s IP address, the victim’s reply goes back to
that address.
 Since the attacker does not receive packets back, this is called a one-way attack
or blind spoofing.

Email spoofing:

Attacker sends email but makes it appear to come from someone else.
With email spoofing, someone receives email that appears to have originated from
one source when it actually was sent from another source.
Purposes of email spoofing:
– Hiding sender’s identity
– Impersonating someone

13
– Implicating someone
– Trick someone into making a damaging statement or releasing sensitive information

Fig : A Spoofed email was sent to customers indicating the

Message was sent on behalf of ebay

14
 6. COMPLETING THE ILLUSION

The attack as described thus far is fairly effective, but it is not perfect. There is still some
remaining context that can give the victim clues that the attack is going on.However, it is
possible for the attacker to eliminate virtually all of the remaining clues of the attack's
existence. Such evidence is not too hard to eliminate because browsers are very
customizable. The ability of a Web page to control browser behavior is often desirable,
but when the page is hostile it can be dangerous.

6.1 The Status Line:

The status line is a single line of text at the bottom of the browser window that displays
various messages, typically about the status of pending Web transfers. The attack as
described so far leaves two kinds of evidence on the status line. First, when the mouse is
held over a Web link, the status line displays the URL the link points to. Thus, the victim
might notice that a URL has been rewritten. Second, when a page is being fetched, the
status line briefly displays the name of the server being contacted.

6.2 The Location Bar:

The browser's location line displays the URL of the page currently being shown. The
victim can also type a URL into the location line, sending the browser to that URL. The
attack as described so far causes a rewritten URL to appear in the location line, giving the
victim a possible indication that an attack is in progress. The real location line can be
hidden and replace it by a fake location line which looks right and is in the expected

15
place. The fake location line can show the URL the victim expects to see. The fake
location line can also accept keyboard input, allowing the victim to type in
URLs normally.

6.3 Viewing the Document Source:

There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed.
By using the browser's "view source" feature, the victim can look at the HTML source for
the currently displayed page. By looking for rewritten URLs in the HTML source, the
victim can spot the attack. A related clue is available if the victim chooses the browser's
"view document information" menu item. This will display information including the
document's real URL, possibly allowing the victim to notice the attack.

16
 7. Anti-Spoofing

In this section we provide means to counter spoofing, focusing on what users can do,
what software that can be used and what laws that is in place for handling this type of
crime.

1.Users

Most of the people get aware of that something is wrong with their email or the site their
currently viewing. Still, there will always be newcomers to the ”net” and some training is
required for people to understand the difference of ”good and bad” email/sites. One of the
most common ways to fool a user is focused toward the user to reveal its username,
passwords or account information. Most companies will never ask for your information
in a mail and in case they loose your password or account due to an error, they will
simply make you a new one.

2. Software

While training is not always an option there has been developed different software to help
you combat the problem. In a Pc World article [PCW] Tom Spring has tested three different
tools, that use different approaches to detect phishing. The first one is Anti-fraud toolbar
from Cloudmark is based on a blacklist of known “bad” sites. When a user attempts to enter a
site on the http://www.cloudmark.com/ blacklist the program will issue a warning stating that the
site is not safe to go to.The second one is Trustbar from Comodo and it is based on a white-
list of “good” sites. When you surf on a site that is on the white-list the companies name will
appear on the toolbar, when not on the white list a warning will be issued, but it doesn’t
prevent you from surfing further. A list of other tools can be obtained at
http://www.antiphishing.org/ solutions.html\#toolbars provide much protection

17
7.1 Short-term Solution

In the short run, the best defense is to follow a three-part strategy:

1. Disable JavaScript in your browser so the attacker will be unable to hide the evidence
of the attack;
2. Make sure your browser’s location line is always visible;
3. Pay attention to the URLs displayed on your browser’s location line, making sure they
always point to the server you think you’re connected to.
This strategy will significantly lower the risk of attack, though you could still be
victimized if you are not conscientious about watching the location line.

7.2 Long-term solutions

Our initial motivation was not to attack but to defend: to “build a better browser” that, for
example, could clearly indicate security attributes of a server (and so enable clients to
securely use our server hardening techniques). None of above solutions are strong enough
to be a general solution for preventing web spoofing. A ideal browser should be a
platform which can enable all the modern web techniques to be full functional, and at the
same time supply unspoofable features to indicate the communication security.

8. FUTURE SPOOFING WORK

Our fake Web pages are not perfect. In our demonstration, we only implement enough
to prove the concept; however, as noted earlier, we are not yet able to forge some

18
aspects of legitimate browser behavior:
 Creating convincing editable location lines appears to depend on the user’
preferences, which we cannot yet learn. Either we gamble, or we do not have
editable lines.
 We cannot yet obtain the user’s genuine history information for the pull down
history options.

9. Conclusion

Web spoofing has become a serious issue to the global internet community. More
organizations provide greater online access for their customers, and rely heavily on
online services in the way they do business. Understanding the tools and methods the
phishers have at their disposal is a crucial element in defending against these attacks.
However, the users can increase their security by following the following guidelines:

1.Always contact sensitive web sites by typing their address in the location bar, using a
bookmark or following a link from a secure site, preferably protected by SSL/TLS.
2.Never click on links from e-mail messages or from other non-trustworthy sources.
These could lead you to a URL-forwarding.
3.Be very careful to inspect the location bar and the SSL icon upon entering to sensitive
web pages.
4.If possible, restrict the damages due to spoofing by instructing your financial services
to limit online transactions in your account to cover only what you really need.

REFERENCE

19
1. http://webmasters-forums.com/web-spoofing-t-402.html
2. http://www.washington.edu/computing/windows/issue22/spoofing.html
3. http://www.cs.princeton.edu/sip/WebSpoofing/
4. http://www.cs.princeton.edu/sip/pub/spoofing.html

20