Website spoofing

Last updated November 02, 2023

Website spoofing is the act of creating a website with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website, and it sometimes has a similar URL.^[1] A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.^[2]

Another technique is to use a 'cloaked' URL.^[3] By using domain forwarding, or inserting control characters, the URL can appear to be genuine while concealing the actual address of the malicious website. Punycode can also be used for this purpose. Punycode-based attacks exploit the similar characters in different writing systems in common fonts. For example, on one large font, the greek letter tau (τ) is similar in appearance to the latin undercase letter t. However, the greek letter tau is represented in punycode as 5xa, while the latin undercase letter is simply represented as t, since it is present on the ASCII system. In 2017, a security researcher managed to register the domain xn--80ak6aa92e.com and have it show on several mainstream browsers as apple.com. While the characters used didn't belong to the latin script, due to the default font on those browsers, the end result was non-latin characters that were indistinguishable from those on the latin script.^[4]^[5]

The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose website the spoofed site purports to represent. Because the purpose is often malicious, "spoof" (an expression whose base meaning is innocent parody) is a poor term for this activity so that more accountable organisations such as government departments and banks tend to avoid it, preferring more explicit descriptors such as "fraudulent" or "phishing".^[6]^[7]

As an example of the use of this technique to parody an organisation, in November 2006 two spoof websites, www.msfirefox.com and www.msfirefox.net, were produced claiming that Microsoft had bought Firefox and released "Microsoft Firefox 2007."^[8]

Prevention tools

Anti-phishing software

Spoofed websites predominate in efforts developing anti-phishing software though there are concerns about their effectiveness. A majority of efforts are focused on the PC market leaving mobile devices lacking You can see from the table below that few user studies have been run against the current tools in the market.^[9]

A comparison of anti-phishing tools in 2004.^[9]
Tool	Communication media	Device	Countermeasure type	Performance metrics	User study conducted?
Anti-phish	Website/browser add-on	PC	Profile matching /usage history	-	-
BogusBiter	Website/browser add-on	PC	Client server authentication	Page load delay	No
Cantina+	Website/browser add-on	PC	Machine learning /classification	TPR ≈ 0.92 FPR ≈ 0.040	No
Quero	Website/browser add-on	PC	Text mining /regular expressions	-	-
Itrustpage	Website/browser add-on	PC	Profile matching/ blacklist	Accuracy=0.98	Yes
SpoofGuard	Website	PC	Profile matching / pattern	TPR≈0.972, Accuracy≈0.67	No
PhishZoo	Website	PC	Profile matching/ pattern	Accuracy≈0.96, FPR≈0.01	No
B-APT	Website	PC	Machine learning/ classification	Page load delay ≈ 51.05ms, TPR≈1,FP≈0.03	No
PhishTester	Website	PC	Profile matching/ pattern	FNR≈0.03, FPR≈0	No
DOM AntiPhish	Website	PC	Profile matching/ layout	FNR≈0, FPR≈0.16	No
GoldPhish	Website	PC	Search engines	TPR≈0.98,FPR≈0.02	No
PhishNet	Website	PC	Profile matching /blacklist	FNR≈0.05, FPR≈0.03	No
PhorceField	Website	PC	Client server authentication	Bits of Security Lost per user = 0.2	Yes
PassPet	Website	PC	Profile matching/ usage history	Security and Usability	Yes
PhishGuard	Website	PC	Client server authentication	-	-
PhishAri	Social network	PC	Machine learning /classification	Precision = 0.95, Recall = 0.92	Yes
MobiFish	Mobile	Smart Phone	Profile matching/ layout	TPR≈1	No
AZ-protect	Website	PC	Machine learning /classification	Precision = 0.97, Recall = 0.96	No
eBay AG	Website/browser add-on	PC	Machine learning /classification	Precision = 1, Recall = 0.55	No
Netcraft	Website/browser add-on	PC	Profile matching /blacklist	Precision = 0.99, Recall =0.86	No
EarthLink	Website/browser add-on	PC	Profile matching /blacklist	Precision = 0.99, Recall = 0.44	No
IE Filter	Website/browser add-on	PC	Profile matching /blacklist	Precision = 1, Recall = 0.75	No
FirePhish	Website/browser add-on	PC	Profile matching /blacklist	Precision = 1, Recall = 0.77	No
Sitehound	Website/browser add-on	PC	Profile matching /blacklist	Precision = 1, Recall = 0.23	No

DNS filtering

DNS is the layer at which botnets control drones. In 2006, OpenDNS began offering a free service to prevent users from entering website spoofing sites. Essentially, OpenDNS has gathered a large database from various anti-phishing and anti-botnet organizations as well as its own data to compile a list of known website spoofing offenders. When a user attempts to access one of these bad websites, they are blocked at the DNS level. APWG statistics show that most phishing attacks use URLs, not domain names, so there would be a large amount of website spoofing that OpenDNS would be unable to track. At the time of release, OpenDNS is unable to prevent unnamed phishing exploits that sit on Yahoo, Google etc.^[10]

Related Research Articles

Various anti-spam techniques are used to prevent email spam.

<span class="mw-page-title-main">Internationalized domain name</span> Type of Internet domain name

An internationalized domain name (IDN) is an Internet domain name that contains at least one label displayed in software applications, in whole or in part, in non-latin script or alphabet or in the Latin alphabet-based characters with diacritics or ligatures. These writing systems are encoded by computers in multibyte Unicode. Internationalized domain names are stored in the Domain Name System (DNS) as ASCII strings using Punycode transcription.

<span class="mw-page-title-main">Phishing</span> Form of social engineering

Phishing is a form of social engineering and scam where attackers deceive people into revealing sensitive information or installing malware such as ransomware. Phishing attacks have become increasingly sophisticated and often transparently mirror the site being targeted, allowing the attacker to observe everything while the victim is navigating the site, and transverse any additional security boundaries with the victim. As of 2020, it is the most common type of cybercrime, with the FBI's Internet Crime Complaint Center reporting more incidents of phishing than any other type of computer crime.

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

The Spamhaus Project is an international organisation based in the Principality of Andorra, founded in 1998 by Steve Linford to track email spammers and spam-related activity. The name spamhaus, a pseudo-German expression, was coined by Linford to refer to an internet service provider, or other firm, which spams or knowingly provides service to spammers.

Anti-phishing software consists of computer programs that attempt to identify phishing content contained in websites, e-mail, or other forms used to accessing data and block the content, usually with a warning to the user. It is often integrated with web browsers and email clients as a toolbar that displays the real domain name for the website the viewer is visiting, in an attempt to prevent fraudulent websites from masquerading as other legitimate websites.

Pharming is a cyberattack intended to redirect a website's traffic to another, fake site by installing a malicious program on the computer. Pharming can be conducted either by changing the hosts file on a victim's computer or by exploitation of a vulnerability in DNS server software. DNS servers are computers responsible for resolving Internet names into their real IP addresses. Compromised DNS servers are sometimes referred to as "poisoned". Pharming requires unprotected access to target a computer, such as altering a customer's home computer, rather than a corporate business server.

The internationalized domain name (IDN) homograph attack is a way a malicious party may deceive computer users about what remote system they are communicating with, by exploiting the fact that many different characters look alike

A spoofed URL involves one website masquerading as another, often leveraging vulnerabilities in web browser technology to facilitate a malicious computer attack. These attacks are particularly effective against computers that lack up-to-date security patches. Alternatively, some spoofed URLs are crafted for satirical purposes.

Email spoofing is the creation of email messages with a forged sender address. The term applies to email purporting to be from an address which is not actually the sender's; mail sent in reply to that address may bounce or be delivered to an unrelated party whose identity has been faked. Disposable email address or "masked" email is a different topic, providing a masked email address that is not the user's normal address, which is not disclosed, but forwards mail sent to it to the user's real address.

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

DNS hijacking, DNS poisoning, or DNS redirection is the practice of subverting the resolution of Domain Name System (DNS) queries. This can be achieved by malware that overrides a computer's TCP/IP configuration to point at a rogue DNS server under the control of an attacker, or through modifying the behaviour of a trusted DNS server so that it does not comply with internet standards.

A web threat is any threat that uses the World Wide Web to facilitate cybercrime. Web threats use multiple types of malware and fraud, all of which utilize HTTP or HTTPS protocols, but may also employ other protocols and components, such as links in email or IM, or malware attachments or on servers that access the Web. They benefit cybercriminals by stealing information for subsequent sale and help absorb infected PCs into botnets.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

Browser security is the application of Internet security to web browsers in order to protect networked data and computer systems from breaches of privacy or malware. Security exploits of browsers often use JavaScript, sometimes with cross-site scripting (XSS) with a secondary payload using Adobe Flash. Security exploits can also take advantage of vulnerabilities that are commonly exploited in all browsers.

SmartScreen is a cloud-based anti-phishing and anti-malware component included in several Microsoft products, including operating systems Windows 8 and later, the applications Internet Explorer, Microsoft Edge. SmartScreen intelligence is also used in the backend of Microsoft's online services such as the web app Outlook.com and Microsoft Bing search engine.

Google Safe Browsing is a service from Google that warns users when they attempt to navigate to a dangerous website or download dangerous files. Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem. This protection works across Google products and is claimed to “power safer browsing experiences across the Internet”. It lists URLs for web resources that contain malware or phishing content. Browsers like Google Chrome, Safari, Firefox, Vivaldi, Brave and GNOME Web use these lists from Google Safe Browsing to check pages against potential threats. Google also provides a public API for the service.

Trojan.Win32.DNSChanger is a backdoor trojan that redirects users to various malicious websites through the means of altering the DNS settings of a victim's computer. The malware strain was first discovered by Microsoft Malware Protection Center on December 7, 2006 and later detected by McAfee Labs on April 19, 2009.

References

↑ "Spoof website will stay online", BBC News, 29 July 2004
↑ "Web Spoofing: An Internet Con Game" (PDF). Archived from the original (PDF) on 2017-10-12. Retrieved 2023-05-05.
↑ Anti-Phishing Technology" Archived 2007-09-27 at the Wayback Machine , Aaron Emigh, Radix Labs, 19 January 2005
↑ "That apple.com link you clicked on? Yeah, it's actually Russian". www.theregister.com.
↑ "Google is fixing a Chrome flaw that makes phishing easy". 17 April 2017.
↑ "HMRC phishing and scams: detailed information" . Retrieved 2023-11-01.
↑ "Scam calls" . Retrieved 2023-11-01.
↑ "Fake Sites Insist Microsoft Bought Firefox", Gregg Keizer, InformationWeek, 9 November 2006
1 2 "Phishing environments, techniques, and countermeasures: A survey". Computers & Security. 68 (4): 280. July 2017. doi:10.1016/s0167-4048(04)00129-4. ISSN 0167-4048.
↑ "Dark Reading | Security | Protect The Business - Enable Access". Dark Reading. Retrieved 2018-06-29.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Spoof website will stay online", BBC News, 29 July 2004

[2] "Web Spoofing: An Internet Con Game" (PDF). Archived from the original (PDF) on 2017-10-12. Retrieved 2023-05-05.

[3] Anti-Phishing Technology" Archived 2007-09-27 at the Wayback Machine , Aaron Emigh, Radix Labs, 19 January 2005

[4] "That apple.com link you clicked on? Yeah, it's actually Russian". www.theregister.com.

[5] "Google is fixing a Chrome flaw that makes phishing easy". 17 April 2017.

[6] "HMRC phishing and scams: detailed information" . Retrieved 2023-11-01.

[7] "Scam calls" . Retrieved 2023-11-01.

[8] "Fake Sites Insist Microsoft Bought Firefox", Gregg Keizer, InformationWeek, 9 November 2006

[:0-9] 1 2 "Phishing environments, techniques, and countermeasures: A survey". Computers & Security. 68 (4): 280. July 2017. doi:10.1016/s0167-4048(04)00129-4. ISSN 0167-4048.

[10] "Dark Reading | Security | Protect The Business - Enable Access". Dark Reading. Retrieved 2018-06-29.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]