Scribd Logo
Upload

Welcome to Scribd!

  • Web Spoofing: Prepared By: Yukti Chuttani B.C.A Iii 15008000610

    Uploaded by

    Yukti Chuttani
    27 views16 pages
    Web spoofing allows an attacker to create a fake version of the entire web in order to trick victims. The attacker lures victims to the fake web site by including links in popular pages or emails. Once on the fake site, the attacker can observe passwords and account numbers entered by the victim. To maintain the illusion, the attacker rewrites URLs on the fake pages to continue routing the victim through the fake site. Some cues like the status bar can reveal the fake site, but attackers can use techniques like JavaScript to hide these cues. Users should be cautious of links in emails and always verify requests for personal information.

    Original Description:

    Original Title

    II Web Spoofing

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Web spoofing allows an attacker to create a fake version of the entire web in order to trick victims. The attacker lures victims to the fake web site by including links in popular pages or emails. Once on the fake site, the attacker can observe passwords and account numbers entered by the victim. To maintain the illusion, the attacker rewrites URLs on the fake pages to continue routing the victim through the fake site. Some cues like the status bar can reveal the fake site, but attackers can use techniques like JavaScript to hide these cues. Users should be cautious of links in emails and always verify requests for personal information.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    27 views16 pages

    Web Spoofing: Prepared By: Yukti Chuttani B.C.A Iii 15008000610

    Uploaded by

    Yukti Chuttani
    Web spoofing allows an attacker to create a fake version of the entire web in order to trick victims. The attacker lures victims to the fake web site by including links in popular pages or emails. Once on the fake site, the attacker can observe passwords and account numbers entered by the victim. To maintain the illusion, the attacker rewrites URLs on the fake pages to continue routing the victim through the fake site. Some cues like the status bar can reveal the fake site, but attackers can use techniques like JavaScript to hide these cues. Users should be cautious of links in emails and always verify requests for personal information.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 16

    WEB SPOOFING

    Prepared by:
    YUKTI CHUTTANI
    B.C.A III
    15008000610
    Web Spoofing
    Allows an attacker to create a “shadow copy” of the
    entire World Wide Web.
     Attacker creates misleading context in order to
    trick the victim.
     Attack is like a con game.
     Online fraud.
    History
     The concept of web spoofing was discussed in
    1980 by Robert Morris, whose son found some
    security weakness in TCP protocol known as
    security prediction.
    Starting the Attack
     The attacker must somehow lure the victim into
    the attacker’s false web. there are several ways
    to do this.
     An attacker could put a link to false web onto
    popular web page.
     If the victim is using Web-enabled email, the
    attacker could email the victim a pointer to false
    web.
    Spoofing attacks
    in the physical world as well as the
    electronic world
     In the physical world for example, there have
    been several incidents in which criminals set up
    bogus automated teller machines. the criminal
    copy the victim’s card and use the duplicate.
     In the these attack people were fooled for the
    context what they saw. The location of the
    machine and the appearance of their electronic
    displays.
     People using computer system often makes
    security relevant decisions based on contextual
    cues they see. For example you might decide to
    type in you account number because you believe
    you are visiting your bank’s web page. This belief
    might arise because the page has a familiar look.
    Consequences
    • Surveillance – the attacker can passively
    watch the traffic, recording which pages the
    victim visits and the contacts of those pages.
    (This allows the attacker to observe any
    account numbers or passwords the victim
    enters.)
    • Tampering – the attacker can modify any of
    the data traveling in either direction between
    the victim and the Web. (The attacker would
    change the product number, quantity or ship
    to address.)
    How the Attack Works
     Forms
     URL Rewriting
    URL Rewriting
     The attacker’s first trick is to rewrite all of the URLs
    on some web page so that they point to the attacker’s
    server rather than the real server. Assuming the
    attacker’s server is on the machine www.attacker.org,
    the attacker rewrites a URL by adding http://
    www.attacker.org to the front of the URL. For
    example, http://home.netscape.com becomes http://
    www.attacker.org/http://home.netscape.com.
     Once the attacker’s server has fetched the real
    document needed to satisfy the request, the attacker
    rewrites all of the URLs. in the document into the
    same special form. Then the attacker’s server
    provides the rewritten page to the victim’s browser.
     If the victim fallows a link on the new page, the victim
    remains trapped in the attacker’s false web
    Forms
     When the victim submits a form, the submitted
    data goes to the attacker’s server. The attacker’s
    server can observe and even modify the
    submitted data, doing whatever malicious editing
    desired, before passing it on to the real server.
    How attacker attacks victim
    Destroying the Illusion
     There are cues that can destroy the illusion:
    • Status line
    • Location line
    • Viewing document source

     These can be virtually eliminated


    Remedies to be followed
     Follow a three part strategy:
     Disable JavaScript in your browser so the
    attacker will be unable to hide the evidence of the
    attack;
     Make sure your browser’s location line is always
    visible;
     Pay attention to the URLs displayed on your
    browser’s location line, making sure they always
    point to the server you think you are connected
    to.
    Protecting yourself against e-
    mail or online fraud
     Don’t take anything for granted.
     Do not click on links you receive in an e-mail
    message asking for sensitive personal, financial or
    account information.
     Call the company directly to confirm requests for
    updating or verifying personal or account
    information.
     Do not share your ID’s or pass codes with anyone.
     Look for secure connections on Web sites.
     Always sign off Web sites or secure areas of Web
    Sites.
     When your computer is not in use, shut it down or
    disconnect it from the Internet.
    Completing the illusion:
     The attack as described thus far is fairly effective,
    but not perfect. There is still some remaining
    context that can give the victim clues that the
    attack is going on. Such evidence is not too hard
    to eliminate because browsers are very
    customizable. The ability of a web page to control
    browser behavior is often desirable, but when the
    page is hostile it can be dangerous.
    Conclusion:
    Spoofing is a serious threat for international
    community, as the real world applications are
    getting more importance over
    WWW. Understanding tools and methods, the
    spoofers have at their disposal, we can defend
    attacks to a considerably amount.
    THANKS

    You might also like