250 likes | 475 Views
Web Spoofing. John D. Cook Andrew Linn. Web huh?. Spoof: A hoax, trick, or deception Discussed among academics in the 1980’s as the concept of IP spoofing IP Spoofing was used in a few early and well known attacks IP Spoofing fell out of popularity (TCP)
E N D
Web Spoofing John D. Cook Andrew Linn
Web huh? • Spoof: A hoax, trick, or deception • Discussed among academics in the 1980’s as the concept of IP spoofing • IP Spoofing was used in a few early and well known attacks • IP Spoofing fell out of popularity (TCP) • Still done today in different forms. • Not all web spoofs are malicious
Phishing • Pronounced fishing, just much less fun • Broad term to describe attempted acquisition of private or sensitive information • Passive or aggressive attack. • Not all phishing attacks are web spoofs • Nature of web spoofs make them a good choice however. • An example of the many uses of web spoofs
Phishing Spoof Attacks • Fairly common; They are easy and WORK!! • “Man in the middle” attack • Rewrites the URLs of a page • http://www.cnn.com • http://www.IAmAttacker.com/http://www.cnn.com • Users can get trapped in the attackers system
Email Hoaxes • Often a phishing attack as well as a type of spoof • Rely on carelessness or ignorance of the user • Appear to be from legitimate service • Login IDs, Passwords, Credit Card Numbers, and SS numbers are the “booty”
Email Hoaxes Cont. • Some serve as a way to implement a web page spoof that in itself is a phishing attack. • FSU Phishing Email Hoax • WoW Email Hoax • I love FireFox • The purpose of the hoax
Spoofs Today • Because everything else was totally last month. • Video games are in. So is stealing them. • The downside of all info stored “server-side”. • Online shopping = stolen credit cards. Yes, because us Americans just don’t go to the store anymore.
Recognizing Spoofs • Look for the lock at the bottom of your browser. Though this isn’t always indicative of a safe website • Use a *good* browser. My ambiguity in that statement allows me to not be biased. • Check certificates of the page • Or just pay attention.
The “Shadow Web” Known as Web spoofing First examined by Princeton researchers in 1996 Tested in 2002 by researchers at Dartmouth Traps the user in attacker’s web Uses JavaScript to rewrite browser Effectively spoofs the entire Web
Sample fake tool bar pop-up Sample true tool bar pop-up Courtesy of Dartmouth College
Fake SSL warning window True SSL warning window Courtesy of Dartmouth College
The “Shadow Web” While plausible, it is unlikely High yield = Huge effort Various browsers, customization, and security software options prevent it from being a viable attack Acts as a Man-in-the-Middle attack
“Shadow Web” Demonstration Courtesy of Felton et al Princeton University
The “Shadow Web” Attacks Simple surveillance -> Phishing attacks Data manipulation -> Man-in-the-Middle
The “Shadow Web” Detection Disable JavaScript Customize Pop-up and spam blockers Firewalls and other security software
Computer Security Dilemma Most spoof attacks are user initiated Hard to prevent from computer security side Security software falls short of user ignorance Broad audience uninformed
Detection and Prevention Understand what will and will not be requested in an email Do not follow email links to edit account information. Instead, type the website’s URL address into the browser Verify a URL before clicking on a link Check the SSL certificate of a website before disclosing personal information
Motivations Most spoof attacks are phishing attacks Some serve to smear a company’s reputation or hurt their finances with false reports Others for fun or political goals All spoofs, even those that are jokes, have the potential for harm
Brick and Mortar Virtual world vs. physical Harder to verify Amazon.com than brick and mortar store Security software helps, but educated user base best defense against spoof attack
Criminal Act Identity theft is a growing concern Spoofing is used in many phishing scams to facilitate identity theft Most attackers use stolen or hacked machines When caught, attackers must be punished appropriately