This article has multiple issues. Please help improve it or discuss these issues on the talk page . (Learn how and when to remove these template messages)
|
Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it sometimes has a similar URL. [1] A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information. [2]
Another technique is to use a 'cloaked' URL. [3] By using domain forwarding, or inserting control characters, the URL can appear to be genuine while concealing the actual address of the malicious website. Punycode can also be used for this purpose. Punycode-based attacks exploit the similar characters in different writing systems in common fonts. For example, on one large font, the greek letter tau (τ) is similar in appearance to the Latin lowercase letter t. However, the greek letter tau is represented in punycode as 5xa, while the Latin lowercase letter is simply represented as t, since it is present on the ASCII system. In 2017, a security researcher managed to register the domain xn--80ak6aa92e.com and have it show on several mainstream browsers as apple.com. While the characters used didn't belong to the latin script, due to the default font on those browsers, the end result was non-latin characters that were indistinguishable from those on the latin script. [4] [5]
The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose website the spoofed site purports to represent. Because the purpose is often malicious, "spoof" (an expression whose base meaning is innocent parody) is a poor term for this activity so that more accountable organisations such as government departments and banks tend to avoid it, preferring more explicit descriptors such as "fraudulent" or "phishing". [6] [7]
As an example of the use of this technique to parody an organisation, in November 2006 two spoof websites, www.msfirefox.com and www.msfirefox.net, were produced claiming that Microsoft had bought Firefox and released "Microsoft Firefox 2007." [8]
Spoofed websites predominate in efforts developing anti-phishing software though there are concerns about their effectiveness. A majority of efforts are focused on the PC market leaving mobile devices lacking. You can see from the table below that few user studies have been run against the current tools in the market. [9]
Tool | Communication media | Device | Countermeasure type | Performance metrics | User study conducted? |
Anti-phish | Website/browser add-on | PC | Profile matching /usage history | - | - |
BogusBiter | Website/browser add-on | PC | Client server authentication | Page load delay | No |
Cantina+ | Website/browser add-on | PC | Machine learning /classification | TPR ≈ 0.92 FPR ≈ 0.040 | No |
Quero | Website/browser add-on | PC | Text mining /regular expressions | - | - |
Itrustpage | Website/browser add-on | PC | Profile matching/ blacklist | Accuracy=0.98 | Yes |
SpoofGuard | Website | PC | Profile matching / pattern | TPR≈0.972, Accuracy≈0.67 | No |
PhishZoo | Website | PC | Profile matching/ pattern | Accuracy≈0.96, FPR≈0.01 | No |
B-APT | Website | PC | Machine learning/ classification | Page load delay ≈ 51.05ms, TPR≈1,FP≈0.03 | No |
PhishTester | Website | PC | Profile matching/ pattern | FNR≈0.03, FPR≈0 | No |
DOM AntiPhish | Website | PC | Profile matching/ layout | FNR≈0, FPR≈0.16 | No |
GoldPhish | Website | PC | Search engines | TPR≈0.98,FPR≈0.02 | No |
PhishNet | Website | PC | Profile matching /blacklist | FNR≈0.05, FPR≈0.03 | No |
PhorceField | Website | PC | Client server authentication | Bits of Security Lost per user = 0.2 | Yes |
PassPet | Website | PC | Profile matching/ usage history | Security and Usability | Yes |
PhishGuard | Website | PC | Client server authentication | - | - |
PhishAri | Social network | PC | Machine learning /classification | Precision = 0.95, Recall = 0.92 | Yes |
MobiFish | Mobile | Smart Phone | Profile matching/ layout | TPR≈1 | No |
AZ-protect | Website | PC | Machine learning /classification | Precision = 0.97, Recall = 0.96 | No |
eBay AG | Website/browser add-on | PC | Machine learning /classification | Precision = 1, Recall = 0.55 | No |
Netcraft | Website/browser add-on | PC | Profile matching /blacklist | Precision = 0.99, Recall =0.86 | No |
EarthLink | Website/browser add-on | PC | Profile matching /blacklist | Precision = 0.99, Recall = 0.44 | No |
IE Filter | Website/browser add-on | PC | Profile matching /blacklist | Precision = 1, Recall = 0.75 | No |
FirePhish | Website/browser add-on | PC | Profile matching /blacklist | Precision = 1, Recall = 0.77 | No |
Sitehound | Website/browser add-on | PC | Profile matching /blacklist | Precision = 1, Recall = 0.23 | No |
DNS is the layer at which botnets control drones. In 2006, OpenDNS began offering a free service to prevent users from entering website spoofing sites. Essentially, OpenDNS has gathered a large database from various anti-phishing and anti-botnet organizations as well as its own data to compile a list of known website spoofing offenders. When a user attempts to access one of these bad websites, they are blocked at the DNS level. APWG statistics show that most phishing attacks use URLs, not domain names, so there would be a large amount of website spoofing that OpenDNS would be unable to track. At the time of release, OpenDNS is unable to prevent unnamed phishing exploits that sit on Yahoo, Google etc. [10]
In the Internet, a domain name is a string that identifies a realm of administrative autonomy, authority or control. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. Domain names are used in various networking contexts and for application-specific naming and addressing purposes. In general, a domain name identifies a network domain or an Internet Protocol (IP) resource, such as a personal computer used to access the Internet, or a server computer.
Various anti-spam techniques are used to prevent email spam.
An internationalized domain name (IDN) is an Internet domain name that contains at least one label displayed in software applications, in whole or in part, in non-Latin script or alphabet or in the Latin alphabet-based characters with diacritics or ligatures. These writing systems are encoded by computers in multibyte Unicode. Internationalized domain names are stored in the Domain Name System (DNS) as ASCII strings using Punycode transcription.
Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.
.tk is the Internet country code top-level domain (ccTLD) for Tokelau, a territory of New Zealand in the South Pacific.
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.
Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites, e-mail, or other forms used to accessing data and block the content, usually with a warning to the user. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate websites.
Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the victim's computer in order to gain access to it. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.
In orthography and typography, a homoglyph is one of two or more graphemes, characters, or glyphs with shapes that appear identical or very similar but may have differing meaning. The designation is also applied to sequences of characters sharing these properties.
The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike. For example, the Cyrillic, Greek and Latin alphabets each have a letter ⟨o⟩ that has the same shape but different meaning from its counterparts.
A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to- security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.
Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.
The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.
DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.
A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.
Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.
Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.
SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products:
Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.
An emoji domain is a domain name with one or more emoji in it, for example 😉.tld
.