1 / 24

Web Spoofing

Web Spoofing. John D. Cook Andrew Linn. Web huh?. Spoof: A hoax, trick, or deception Discussed among academics in the 1980’s as the concept of IP spoofing IP Spoofing was used in a few early and well known attacks IP Spoofing fell out of popularity (TCP)

Download Presentation

Web Spoofing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Spoofing John D. Cook Andrew Linn

  2. Web huh? • Spoof: A hoax, trick, or deception • Discussed among academics in the 1980’s as the concept of IP spoofing • IP Spoofing was used in a few early and well known attacks • IP Spoofing fell out of popularity (TCP) • Still done today in different forms. • Not all web spoofs are malicious

  3. Phishing • Pronounced fishing, just much less fun • Broad term to describe attempted acquisition of private or sensitive information • Passive or aggressive attack. • Not all phishing attacks are web spoofs • Nature of web spoofs make them a good choice however. • An example of the many uses of web spoofs

  4. Phishing Spoof Attacks • Fairly common; They are easy and WORK!! • “Man in the middle” attack • Rewrites the URLs of a page • http://www.cnn.com • http://www.IAmAttacker.com/http://www.cnn.com • Users can get trapped in the attackers system

  5. Email Hoaxes • Often a phishing attack as well as a type of spoof • Rely on carelessness or ignorance of the user • Appear to be from legitimate service • Login IDs, Passwords, Credit Card Numbers, and SS numbers are the “booty”

  6. Email Hoaxes Cont. • Some serve as a way to implement a web page spoof that in itself is a phishing attack. • FSU Phishing Email Hoax • WoW Email Hoax • I love FireFox • The purpose of the hoax

  7. Spoofs Today • Because everything else was totally last month. • Video games are in. So is stealing them. • The downside of all info stored “server-side”. • Online shopping = stolen credit cards. Yes, because us Americans just don’t go to the store anymore.

  8. Recognizing Spoofs • Look for the lock at the bottom of your browser. Though this isn’t always indicative of a safe website • Use a *good* browser. My ambiguity in that statement allows me to not be biased. • Check certificates of the page • Or just pay attention.

  9. The “Shadow Web” Known as Web spoofing First examined by Princeton researchers in 1996 Tested in 2002 by researchers at Dartmouth Traps the user in attacker’s web Uses JavaScript to rewrite browser Effectively spoofs the entire Web

  10. Sample fake tool bar pop-up Sample true tool bar pop-up Courtesy of Dartmouth College

  11. Fake SSL warning window True SSL warning window Courtesy of Dartmouth College

  12. The “Shadow Web” While plausible, it is unlikely High yield = Huge effort Various browsers, customization, and security software options prevent it from being a viable attack Acts as a Man-in-the-Middle attack

  13. “Shadow Web” Demonstration Courtesy of Felton et al Princeton University

  14. The “Shadow Web” Attacks Simple surveillance -> Phishing attacks Data manipulation -> Man-in-the-Middle

  15. The “Shadow Web” Detection Disable JavaScript Customize Pop-up and spam blockers Firewalls and other security software

  16. Computer Security Dilemma Most spoof attacks are user initiated Hard to prevent from computer security side Security software falls short of user ignorance Broad audience uninformed

  17. Detection and Prevention Understand what will and will not be requested in an email Do not follow email links to edit account information. Instead, type the website’s URL address into the browser Verify a URL before clicking on a link Check the SSL certificate of a website before disclosing personal information

  18. Sample Email Spoof

  19. Sample Email Spoof

  20. Motivations Most spoof attacks are phishing attacks Some serve to smear a company’s reputation or hurt their finances with false reports Others for fun or political goals All spoofs, even those that are jokes, have the potential for harm

  21. Brick and Mortar Virtual world vs. physical Harder to verify Amazon.com than brick and mortar store Security software helps, but educated user base best defense against spoof attack

  22. Criminal Act Identity theft is a growing concern Spoofing is used in many phishing scams to facilitate identity theft Most attackers use stolen or hacked machines When caught, attackers must be punished appropriately

  23. Questions?

More Related