Web Spoofing

This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today s systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer.

1.1 HISTORY

The concept of IP spoofing was initially discussed in academic circles in the 1980 s. It was primarily theoretical until Robert Morris, whose son wrote the first Internet Worm, discovered a security weakness in the TCP protocol known as sequence prediction. Another infamous attack, Kevin Mitnick s Christmas day, crack of Tsutomu Shimomura s machine, employed the IP spoofing and TCP sequence prediction techniques. While the popularity of such cracks has decreased due to the demise of the services they exploited, spoofing can still be used and needs to be addressed by all security administrators.

1.2 WHAT IS SPOOFING?

Spoofing means pretending to be something you are not. In Internet terms it means pretending to be a different Internet address from the one you really have in order to gain something. That might be information like credit card numbers, passwords, personal information or the ability to carry out actions using someone else’s identity.

IP spoofing attack involves forging one s source address. It is the act of using one machine to impersonate another. Most of the applications and tools in web rely on the source IP address authentication. Many developers have used the host based access controls to secure their networks. Source IP address is a unique identifier but not a reliable one. It can easily be spoofed.

Web spoofing allows an attacker to create a shadow copy of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker s machine, allowing the attacker to monitor the all of the victim s activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim s name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.

The various types of spoofing techniques that we discuss include TCP Flooding, DNS Server Spoofing Attempts, web site names, email ids and link redirection.

Web spoofing is the act of secretly tricking your Web browser into talking to a different Web server than you intend. How? By attacking the DNS (domain name system) that maps the "www.site.com" in a URL to a network address, or by modifying a Web page to have a bad URL, or by tricking your browser as it interprets CGI data, JavaScript, etc.

After your browser has been fooled, the spoofed Web server can send you fake Web pages or prompt you to provide personal information such as your login ID, password, or even credit card or bank account numbers. If done carefully, you probably will not even notice that you have been duped.

How to Spot a Spoofed Page

Some Web spoofing may be noticeable, so it is helpful to keep these tips in mind:

  • If you hold your mouse over a URL that is a link, the status line displays the corresponding URL. Be suspicious if the status line URL is different from what you think you should see.
  • When the Web page is being requested, the status line will show the name of the server. Beware if the server name is different from what you expected.
  • Your browser's location line is the place to watch for anything unusual about a site's URL.

Unfortunately, clues to a Web spoofing attack can be hidden if the attacker is using JavaScript (which can write to the status line and rewrite location line URLs) or a similar program that makes all requests for a particular URL go to the attacker's system. After obtaining the desired information, the spoofed Web site might even send you to the correct site.

Another way to think about Web spoofing is to be aware of where a link goes--whether to a place you expected or to someplace odd.

Private Information Requests

If Web pages with which you are familiar suddenly ask you to fill in private information, weigh the situation carefully before supplying it. If possible, call or send mail to the official source to verify that this change is legitimate. When in doubt, do not enter any information you feel uncomfortable providing.

Even a secure "https" connection (with Secure Sockets Layer) does not guarantee against surveillance or modification of information you send. If you are already connected to the attacker's system, you may simply be securely connected to the Web spoofer's server.

What to Do

If you think you are a victim of a Web spoof, report it to the official source of the page by phone or via an email address that you know to be correct. If you have been tricked into supplying your password, you should change it immediately.

Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web.

SPOOFING ATTACKS

In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is like a con game: the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. Unfortunately, activities that seem reasonable in the false world may have disastrous effects in the real world.

Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus automated-teller machines, typically in the public areas of shopping malls. The machines would accept ATM cards and ask the person to enter their PIN code. Once the machine had the victim's PIN, it could either eat the card or "malfunction" and return the card. In either case, the criminals had enough information to copy the victim's card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays.

People using computer systems often make security-relevant decisions based on contextual cues they see. For example, one might decide to type in your bank account number because he/she believes you are visiting your bank's Web page. This belief might arise because the page has a familiar look, because the bank's URL appears in the browser's location line, or for some other reason.



WEB SPOOFING

Web spoofing is a kind of electronic con game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one: it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker.

Consequences Since the attacker can observe or modify any data going from the victim to Web servers, as well as controlling all return traffic from Web servers to the victim, the attacker has many possibilities. These include surveillance and tampering.

Surveillance The attacker can passively watch the traffic, recording which pages the victim visits and the contents of those pages. When the victim fills out a form, the entered data is transmitted to a Web server, so the attacker can record that too, along with the response sent back by the server. Since most on-line commerce is done via forms, this means the attacker can observe any account numbers or passwords the victim enters.

The attacker can carry out surveillance even if the victim has a "secure" connection (usually via Secure Sockets Layer) to the server, that is, even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key).

Tampering The attacker is also free to modify any of the data traveling in either direction between the victim and the Web. The attacker can modify form data submitted by the victim. For example, if the victim is ordering a product on-line, the attacker can change the product number, the quantity, or the ship-to address.
The attacker can also modify the data returned by a Web server, for example by inserting misleading or offensive material in order to trick the victim or to cause antagonism between the victim and the server.


Spoofing the Whole Web

You may think it is difficult for the attacker to spoof the entire World Wide Web, but it is not. The attacker need not store the entire contents of the Web. The whole Web is available on-line; the attacker's server can just fetch a page from the real Web when it needs to provide a copy of the page on the false Web.

How the Attack Works:

The key to this attack is for the attacker's Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a "man in the middle attack" in the security literature.

Web Spoofing is a security attack that allows an adversary to observe and modify all web pages sent to the victim's machine, and observe all information entered into forms by the victim. Web Spoofing works on both of the major browsers and is not prevented by "secure" connections. The attacker can observe and modify all web pages and form submissions, even when the browser's "secure connection" indicator is lit. The user sees no indication that anything is wrong.

The attack is implemented using JavaScript and Web server plug-ins, and works in two parts. First, the attacker causes a browser window to be created on the victim's machine, with some of the normal status and menu information replaced by identical-looking components supplied by the attacker. Then, the attacker causes all Web pages destined for the victim's machine to be routed through the attacker's server. On the attacker's server, the pages are rewritten in such a way that their appearance does not change at all, but any actions taken by the victim (such as clicking on a link) would be logged by the attacker. In addition, any attempt by the victim to load a new page would cause the newly-loaded page to be routed through the attacker's server, so the attack would continue on the new page.

The attack is initiated when the victim visits a malicious Web page, or receives a malicious email message (if the victim uses an HTML-enabled email reader).

We have implemented a demonstration of the Web Spoofing attack and have shown the demo live at the Internet World conference and on MSNBC television. Although the implementation is not trivial, it is well within the means of a single dedicated programmer.

Current browsers do not prevent Web Spoofing, and there seems to be little movement in the direction of addressing this problem. We believe that there can be no secure electronic commerce on the Web until the Web Spoofing vulnerability has been addressed.

Many false claims have been made about Web Spoofing, and some people who make public statements about Web Spoofing do not understand the full scope of the problem. If you want to understand Web Spoofing, please read our paper on the topic. We worked hard to make it accessible to non-experts.