A

TECHNICAL

PAPER PRESENTATION

On

WEB SPOOFING

AUTHORS

S.MOUNICA REDDY N.VISHAKA AGARWAL

CSE-I/IV YEAR CSE-I/IV YEAR
Roll No: 09RD1A0540 Roll No: 09RD1A0522
mounica10@gmail.com vishakasnoopy@yahoo.co.in
 ABSTRACT

The web spoofing describes an Internet attacker’s server, the pages are rewritten in
security attack that could endanger the such a way that their appearance does not
privacy of World Wide Web users and the change at all, but any actions taken by the
integrity of their data. The attack can be victim would be logged by the attacker. In
carried out on today's systems, endangering addition, any attempt by the victim to load a
users of the most common Web browsers. new page would cause the newly-loaded
Web spoofing allows an attacker to create a page to be routed through the attacker's
"shadow copy" of the entire World Wide server, so the attack would continue on the
Web. Accesses to the shadow Web new page.
are funneled through the attacker’s
machine, allowing the attacker to monitor
all of the victim's activities including any
passwords or account numbers the victim
enters. The attacker can also cause false or
misleading data to be sent to Web servers in
the victim's name, or to the victim in the
name of any Web server. In short, the
attacker observes and controls everything
the victim does on the Web. First,
the attacker causes a browser window to
be created on the victim's machine, with
some of the normal status and menu
information replaced by identical-looking
components supplied by the attacker. Then,
the attacker causes all Web pages destined
for the victim's machine to be routed
through the attacker's server. On the

2
 INTRODUCTION TO WEB SPOOFING

Web Spoofing is a security attack that replaced by identical-looking

allows an adversary to observe and components supplied by the attacker.

modify all web pages sent to the Then, the attacker causes all Web pages

victim's machine, and observe all destined for the victim's machine to be

information entered into forms by the routed through the attacker's server. On

victim. Web Spoofing works on both of the attacker's server, the pages are

the major browsers and is not prevented rewritten in such a way that their

by "secure" connections. The attacker appearance does not change at all, but

can observe and modify all web pages any actions taken by the victim (such as

and form submissions, even when the clicking on a link) would be logged by

browser's "secure connection" indicator the attacker. In addition, any attempt by

is lit. The user sees no indication that the victim to load a new page would

anything is wrong. cause the newly-loaded page to be

routed through the attacker's server, so

The attack is implemented using the attack would continue on the new

JavaScript and Web server plug-ins, and page.The attack is initiated when the

works in two parts. First, the attacker victim visits a malicious Web page, or

causes a browser window to be created receives a malicious email message (if

on the victim's machine, with some of the victim uses an HTML-enabled email

the normal status and menu information reader).

SPOOFING ATTACKS:

In a spoofing attack, the attacker creates victim's PIN, it could either eat the card

misleading context in order to trick the or "malfunction" and return the card. In

victim into making an inappropriate either case, the criminals had enough

security-relevant decision. A Spoofing information to copy the victim's card

attack is like a con game: the attacker and use the duplicate. In these attacks,

sets up a false but convincing world people were fooled by the context

around the victim. The victim does . they saw: the location of the machines,

something that would be appropriate if their size and weight, the way they

the false world were real. Unfortunately, were decorated, and the appearance of

activities that seem reasonable in the their electronic displays.

false world may have disastrous effects People using computer systems often

in the real world. make security-relevant decisions based

Spoofing attacks are possible in the on contextual cues they see. For

physical world as well as the electronic example, you might decide to type

one. For example, there have been inyour bank account number because

several incidents in which criminals set you believe you are visiting your bank's

up bogus automated-teller machines, Web page. This belief might arise

typically in the public areas of shopping because the page has a familiar look,

malls.The machines would accept ATM because the bank's URL appears in the

cards and ask the person to enter their browser's location line, or for some other

PIN code. Once the machine had the reason.

TYPES OF SPOOFING:
There are different types of 4.URL spoofing
spoofing like IP spoofing, Email
spoofing, web spoofing the small 5.IDN spoofing
introduction is given below: 6.DNS spoofing
1.Ip spoofing 7.Proxy spoofing
2.Email spoofing

3.Web spoofing

THREAT MODELS AND ATTACKS:

The initial design of Internet and commercial domain name registrars
Web protocols assumed benign allowing automated, low-cost
environment, where servers, clients and registration in most top level domains, it
routers cooperate and follow the is currently very easy for attackers to
standard protocols, except for acquire essentially any unallocated
unintentional errors. However, as the domain name, and place there
amount and sensitivity of usage malicious hosts and clients.
increased, concerns about security, We call this the
fraud and attacks became important. unallocated domain adversary: an
In particular, since currently Internet adversar y who is able to issue and
access is widely available, it is very receive messages using many addresses
easy for attackers to obtain many client in any domain name, excluding the finite
and even host connections and list of already allocated domain names.
addresses, and use them to launch This is probably the most basic and
different attacks on the network itself common type of adversary.
and on other hosts and clients. In Unfortunately,
particular, with the proliferation of we believe, as explained below, that
currently, most web users are domains, but receive only messages
vulnerable even against unallocated sent to unallocated domains. However,
domain adversaries. This claim may the security by SSL/TLS is only with
be surprising, as sensitive web sites respect to the address (URL) and
are usually protected using the security mechanism (HTTPS, using
SSL or TLS protocols, which, as we SSL/TLS, or `plain` HTTP) requested
explain in the following subsection, by the application (usually browser). In a
securely authenticate web pages even in phishing attack (and most other spoofing
the presence of intercepting adversaries attacks), the application specifies, in its
Intercepting adversaries are able to send request, the URL of the spoofed site.
and intercept messages to and from all Namely, web spoofing attacks focus
domains. Indeed, even without on the gap between the intentions
SSL/TLS, the HTTP protocol and expectations of the user, and the
securely authenticates web pages address and security mechanism
against spoofing adversaries, which are specified by the browser to the transport
able to send messages from all layer.

HOW WEB SPOOFING WORKS ?

Web spoofing is a kind of victim to Web servers, as well as
electronic con game in which the controlling all return traffic from Web
attacker creates a convincing but false servers to the victim, the attacker has
copy of the entire World Wide Web. The many possibilities. These include
false Web looks just like the real one: it surveillance and tampering. Surveillance
has all the same pages and links. The attacker can passively watch the
However, the attacker controls the false traffic, recording which pages the victim
Web, so that all network traffic between visits and the contents of those pages.
the victim's browser and the Web goes When the victim fills out a form, the
through the attacker. Consequences entered data is transmitted to a Web
Since the attacker can observe or server, so the attacker can record that
modify any data going from the too, along with the response sent back by
the server. Since most on-line commerce direction between the victim and
is done via forms, this means the the Web. The attacker can modify
attacker can observe any account form data submitted by the victim. For
numbers or passwords the victim example, if the victim is ordering a
enters. product on-line, the attacker can
The attacker can carry out surveillance change the product number, the
even if the victim has a "secure" quantity, or the ship-to address. The
connection (usually via Secure Sockets attacker can also modif y the data
Layer) to the server, that is, even if the returned by a Web server, for example
victim's browser shows the secure- by inserting misleading or offensive
connection icon (usually an image material in order to trick the victim or
of a lock or a key) . Tampering to cause
The attacker is also free to modify any antagonism between the victim and the
of the data traveling in either server.

HOW DOES THE ATTACK WORKS ?

The first vulnerability is due to the browser, but containing a public key
validation that the server's public key, generated by the adversary. Therefore,
which SSL obtains from the server’s the adversary has the matching
certificate, belongs to the site with private key and can pass SSL
the given location (URL). This server authentication for the victim
validation is the responsibility of the web page. We now explain how the
application (e.g. browser) and not part of false certificate attack works. In the
the SSL/TLS specifications; SSL/TLS current design of browsers, the user is
merely passes the server’s certificate to responsible to validate the authenticity
the application. Currently, browsers of web sites, by noting relevant status
are vulnerable to the false certificate areas in the browser user interface. The
attack, where the adversary receives a relevant status areas are the
certificate for the domain of the victim location bar, containing the URL
web page from a CA trusted by the (Universal Resource Locator), and the
SSL indicator (typically, as open lock may not notice an incorrect URL or the
for insecure sites, closed lock for lack of SSL indicator, when
SSL/TLS protected sites). We are approaching their online banking site
mostly interested in the web spoofing (or other sensitive site). Therefore, an
attack, which exploits this attacker can circumvent the SSL site
vulnerability, by directing the browser authentication trivially, by not using SSL
to an adversary-controlled clone site and/or by using a URL belonging to a
that resembles the original, victim site, domain owned or controlled by the
which the user wanted to access. Web attacker, for which the attacker can
spoofing attacks are very common, and obtain a certificate. More advanced
are the most severe threat to secure e- attacks can mislead even users that
commerce currently. As we explain validate the SSL indicator and location
below, most web spoofing attackers bar (containing URL).
simply rely on the fact that many users
Fig 7.1 HTTP request response process with SSL protection

In practice, attackers usually use an The adversary first buys some

even easier method to direct the user to unallocated domain name, often related
the spoofed site: phishing spoofing to the name of the target, victim web
attacks, usually using spam e-mail site. Then, the adversary sends spam
messages. We describe the process of (unsolicited e- mail) to many users; this
typical phishing attack used to lure the spam contains a `phishing bait
user into a spoofed web site. message`, luring the user to follow a link
embedded in the bait message. The mail
message is a forgery: its source address but actually to the phishing site. If the
is of the victim entity, e.g. a bank that victim entity signs all its e-mail, e.g.
the user uses (or may use), and its using S/MIME or PGP [Z95], then our
contents attempt to coerce the user into techniques (described later on) could
following a link in the message, allow the user to detect this
supposedly to the victim organization,

Fig 7.2 process of typical phishing spoofing attack

fraud. However, currently only a tiny attacker, such as credit card number,
fraction of the organizations signs name, e-mail addresses, and other
outgoing e- mail, therefore, this is not an information. The attacker stores the
option, and many naïve users may click information in some `stolen information`
on the link in the message, supposedly to database; among other usages, he also
an important service from the victim uses the credit card number to purchase
entity. The link actually connects the additional domains, and the e-mail
users to the spoofed web site, emulating addresses and name to create more
the site of the victim entity, where the convincing spam messages (e.g. to
user provides information useful to the friends of this user).Currently most
phishing attacks lure the users by using content based filtering; however, since
spam (unsolicited, undesirable e-mail), phishing attacks emulate valid e-mail
as described above. However, we define from (financial) service providers, we
phishing spoofing attack as (any method expect it to pass content-based filtering.
of) luring the user into directing his Proposals for controlling and preventing
browser to approach a spoofed web site. spam, e.g. [CSRI04, He04], may also
For example, an attacker could use help to prevent or at least reduce spam-
banner-ads or other ads to lure users to based phishing. Most phishing spoofing
the spoofed site. We believe spam is the attacks require only an unallocated web
main phishing tool simply since address and server, but do not require
currently spam is extremely cheap and intercepting (HTTP) requests of the user;
hard to trace back to the attacker. therefore, even weak attackers can
Spamming is causing many other deploy them. This may explain their
damages, in particular waste of human popularity . This means that the domain
time and attention, and of computer name used in the phishing attack is
resources. Currently, the most common different from the domain name of the
protection against spam appears to be victim organization

CONCLUSION:
common. In this paper, we describe
In the developer community, currently browser and protocol extensions that we
web users, and in particular naïve users, are designing and implementing, that
are vulnerable to different web spoofing will help prevent web- spoofing (and
attacks; elsewhere, phishing and phishing) attacks. The main idea is to
spoofing attacks are in fact increasingly enhance browsers with a mandatory
Trust Bar (Trust Bar), with a fixed code available. To conclude this paper,
location at the top of every web page we present conclusions and
The most important credential is recommendations for users and owners
probably the Logo of the organization, of sensitive web sites, such as e-
used to provide and re-enforce the brand; commerce sites, for the period until
and, when some trusted authority browser are Trust Bar-enabled; see
certifies the logo or other credentials of additional recommendations in [TTV04].
the site, the logo of that trusted authority We also note that even when using Trust
(e.g. certificate authority). Our hope is Bar-enabled browsers, viruses and other
that browser developers will incorporate malicious software may still be able to
the Trust Bar as soon as possible, i.e. create unauthorized transactions, due to
make Trust Bar-enabled browsers. We operating system vulnerabilities. We
recommend that highly sensitive web
hope to soon make available the source sites such as e-brokerage consider
code of our implementation of the Trust authorizing transactions using more
Bar (for the Mozilla browser), and we secure hardware modules .
will be happy to cooperate with others
on creating high-quality open source

REFERENCES:

1. http://webm asters-f orum s.com/web-spoofing-t-402.htm l

2. http://www.washington.edu/computing/windows/issue22/spoofing.html
3. http://www.cs.princeton.edu/sip/WebSpoof ing/
4. http://www.cs.princeton.edu/sip/pub/spoofing.html