SCHOOL OF COMPUTER SCIENCES UNIVERSITI SAINS MALAYSIA

CST233INFORMATIONSECURITY& ASSURANCE
Assignment1 ASSIGNMENT1 WhitePaper WebSpoofingAttack
Preparedfor
AmanJantan,Dr LecturerSchoolofComputerSciences

Preparedby
MohdFaizalBinZakaria 106452

Semester2,2011/2012

Abstract

This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on todays systems, endangering users of the most common Web browsers, including Firefox Mozilla, Netscape Navigator and Microsoft Internet Explorer.Web spoofing allows an attacker to create a shadow copy of the entire World Wide Web. Accesses to the shadow Web allowing the attacker to monitor all of the victims activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victims name, or to the victim in the name of any Web server. In short, the attacker observes and controls everything the victim does on the Web. This paper also will investigate the real case how web spoofing happen and how to prevent that attack.

Introduction

Web spoofing, also known as phishing or carding is a significant form of Internet crime that is launched against hundreds or thousands of individuals each day. The US Secret Service and the San Francisco Electronic Crimes Task Force report that approximately 30 attack sites are detected each day. Each attack site may be used to defraud hundreds or thousands of victims, and it is likely that many attack sites are never detected. A typical web spoof attack begins with bulk email to a group of unsuspecting victims. Each is told that there is a problem with their account. Victims of the spoofing attack then follow a link in the email message to connect to a spoofed site. Once a victim enters his or her user name and password on the spoof site, the criminal has the means to impersonate the victim, potentially withdrawing money from the victims account or causing harm in other ways. Web spoofing is a significant problem involving fraudulent email and web sites that trick unsuspecting users into revealing private information. The concerned about the problem, web spoofing and other forms of identity theft will be continuing problems in coming years. In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate security-relevant decision. A spoofing attack is like the attacker sets up a false but convincing world around the victim. The victim does something that would be appropriate if the false world were real. Unfortunately, activities that seem reasonable in the false world may have disastrous

effects in the real world. The concerned about the problem, web spoofing and other forms of identity theft will be continuing problems in coming years.

Problem According to Agents of the U.S. Secret Service San Francisco Electronic Crimes Task Force, the U.S. Governments Internet Fraud Complaint Center received over 75,000 complaints in 2002. Of this number, 48,000 cases resulted in further action requests. This is a three-fold increase over 2001. The total dollar losses are estimated at more than $54 million compared to $17 million for 2001. A majority of these fraud complaints are intrusions, auction fraud, credit card/debit fraud, and computer intrusion. Agents of the U.S. Secret Service San Francisco Electronic Crimes Task Force report that web spoofing was first noticed in late 2001 and grew in 2 popularity in 2002, correlating with the large increase in Internet Fraud. Further, a majority of the $37 million increase in losses from 2001 to 2002 can be attributed to web spoofing. Agents working fraud cases in the Bay Area also report that a majority of their Internet cases involve web spoofing. One factor that adds to the severity of web spoofing attacks is that many users use the same username and password at several sites. This allows a phisher who revels in a victim to use this information on more than one site. For this reason, companies that provide passwordprotected services are dependent on each other for their security. This is not only true with regard to web spoofing, but for other kinds of attacks as well. If passwords from one site can be

stolen by attacking the site itself, these may also be used at other sites that protect their password database more effectively. A recent attack described in a New York Times article actually mentioned fraudulent email, indicating some level of public awareness of spoof attacks. On June 18, 2003, thousands of fraudulent e-mails with the subject Fraud Alert were sent out, hoping to reach Best Buy customers. The e-mails attempted to convince customers that Best Buys fraud department required additional customer information, in our effort to deter fraudulent transactions. To further lure unsuspecting victims, the e-mail provided a link that purported to reach a special Fraud Department at the Best Buy web site. Instead, the link actually pointed to a fraudulent page unrelated to Best Buy. The Best Buy attackers page resembled an official Best Buy page, using the Best Buy logo, incorporating elements from an official Best Buy page, and providing links to other Best Buy resources. The page requested a customers social security number and credit card information.

Characteristic Web Spoofing Attack These are characteristic web spoofing attack: Logos. The spoof site uses logos found on the honest site to imitate its appearance. Suspicious URLS. Spoof sites are located on servers that have no relationship with the honest site. The spoof sites url may contain the honest sites url as a substring (http: //www.ebaymode.com), or may be similar to the honest

url(http://www.paypaI. com). IP addresses are sometimes used to disguise the host name (http://25255255255/ top.htm). Others use @ marks to obscure their host names (http://ebay.com: top@255255255255/top.html), or contain

suspicious usernames in their urls (http:// middleman/http://www.ebay.com.) User input. All spoof sites contain messages to fool the user into entering sensitive information, such as password, social security number, etc. Some successful spoofs have even been so bold as to ask for name, address, mothers maiden name, drivers license, and so on. Short lived. Most spoof sites are available for only a few hours or days just enough time for the attacker to spoof a high enough number of users. The implication is that defensive methods that alert the user to a spoof site are more effective than reactive methods that attempt to shut down the site. Copies. Attackers copy html from the honest site and make minimal changes. Two consequences are: (i) some spoof pages actually contain links to images (e.g. logos and buttons) on the honest site, rather than storing copies, (ii) the names of fields and html code remain as on the honest site. We note that when a spoof site refers to the honest site for embedded images it gives the honest site an opportunity to detect the spoof: the honest site detects an http request for an embedded image where the referral header is not the honest site. Such requests should not occur unless the honest site is being plagiarized. Sloppiness or lack of familiarity with English. Many spoof pages have silly misspellings, grammatical errors, and inconsistencies. In the Best Buy scam, the

fake web page listed a telephone number with a Seattle area code for a Staten Island, NY, and mailing address. HTTPS is uncommon. Most spoof web sites do not use https even if the honest site does. This simplifies setting up the spoof site.

Web Spoofing using Username and Password.

Another Attack

Spoofing attacks are possible in the physical world as well as the electronic one. For example, there have been several incidents in which criminals set up bogus automated-teller machines, typically in the public areas of shopping malls. The machines would accept ATM cards and ask the person to enter their PIN code. Once the machine had the victims PIN, it could either eat the card or malfunction and return the card. In either case, the criminals had enough information to copy the

victims card and use the duplicate. In these attacks, people were fooled by the context they saw: the location of the machines, their size and weight, the way they were decorated, and the appearance of their electronic displays. People using computer systems often make security-relevant decisions based on contextual cues they see. For example, you might decide to type in your bank account number because you believe you are visiting your banks Web page. This belief might arise because the page has a familiar look, because the banks URL appears in the browsers location line, or for some other reason.

How the Attack Works

The key to this attack is for the attackers Web server to sit between the victim and the rest of the Web. This kind of arrangement is called a man in the middle attack in the security literature. URL Rewriting The attackers first trick is to rewrite all of the URLs on some Web page so that they point to the attackers server rather than to some real server. Assuming the

attackers server is on the machine www.attacker.org, the attacker rewrites a URL by adding http://www.attacker.org to the front of the URL. For example, becomes

http://home.netscape.com

http://www.attacker.org/http://home.netscape.com. (The URL rewriting technique has been used for other reasons by several other Web sites, including the Anonymizer and the Zippy filter. Below shows what happens when the victim requests a page through one of the rewritten URLs. The victims browser requests the page from www.attacker.org, since the URL starts with http://www.attacker.org. The remainder of the URL tells the

attackers server where on the Web to go to get the real document.

Once the at O ttackers server has fe etched the real docum ment neede to satisfy the ed y request, the attack rewrites all of the URLs in t , ker e the document into th same sp he pecial form by splicing http://www. y .attacker.or onto th front. T rg/ he Then the attackers se erver provides the rewrit s tten page to the victim browser. o ms Since all of the URLs in the rewrit S t n tten page n now point to www.atta o acker.org, if the victim fo ollows a lin on the new page the page will again be fetche through the nk e, e n ed h attacker server. rs The victim remains trapped in the attac m n ckers false Web, and can

follow lin forever without lea nks r aving it.

Starting the Attack

To start an attack, the attacker must somehow lure the victim into the attackers false Web. There are several ways to do this. An attacker could put a link to a false Web onto a popular Web page. If the victim is using Web-enabled email, the attacker could email the victim a pointer to a false Web, or even the contents of a page in a false Web. Finally, the attacker could trick a Web search engine into indexing part of a false Web.

Solution

A number of tests can be used to distinguish spoof pages from honest pages such as 1. stateless methods that determine whether a downloaded page is suspicious 2. Stateful methods that evaluate a downloaded page in light of previous user activity, and methods that evaluate outgoing html post data. 3. The total spoof index of a page determines whether the plug-in alerts the user and determines the severity and type of alert. Since pop-up warnings are intrusive and annoying, it can attempt to warn the user through a passive toolbar indicator in most situations. 4. A user checkbox can eliminate all pop-ups if desired such as tracking server image requests, may also be effective in identifying spoof sites.

Another Solutions

This attack doesnt have a fully satisfactory long-term solution but it can still can prevent such as Changing browsers so they always display the location line would help, although users would still have to be vigilant and know how to recognize rewritten URLs. This is an example of a trusted path technique, in the sense that the browser is able to display information for the user without possible interference by untrusted parties. For pages fetched via a secure connection, an improved secure-connection indicator could help. Rather than simply indicating a secure connection, browsers This information should

should clearly say who is at the other end of the connection.

be displayed in plain language, in a manner intelligible to novice users; it should say something like Microsoft Inc. rather than www.microsoft.com.

Prevention Stopping web spoofing bears some similarity to intrusion detection, spam filtering, and traditionalsocial engineering attacks. Intrusion detection systems typically monitor network and host activity, compute statistical or other indices, and attempt to detect intrusions by comparing the index of current activity against previous statistics. While web spoofing may be regarded as a special case of intrusion detection, the browser seems like that appropriate place to combat web spoofing

Conclusion

Internet fraud observed between 2001 to 2002 has been attributed to web spoofing. While web spoofing (or phishing) may become more sophisticated in the future, every approach to this problem seems to rely on the vigilance of Web users. Whether we can realistically expect everyone to be vigilant all of the time is debatable.

References

1. Neil Chou Robert Ledesma Yuka Teraguchi Dan Boneh John C. Mitchell,Clientside defense against web-based identity theft, Computer Science Department, Stanford University, Stanford CA 94305 2. Edward W. Felten, Dirk Balfanz, Drew Dean, and Dan S. Wallach, Web Spoofing: An Internet Con Game, Technical Report 54096 (revised Feb. 1997) Department of Computer Science, Princeton University