Web spoofing is a means of tricking users to connect to a different Web server than
they intended.Web spoofing may be done in a number of ways. It can be done by
simply providing a link to a fraudulent Web site that looks legitimate, or involve
more complex attacks in which the user’s request or Web pages requested by the
user are intercepted and altered.
One of the more complex methods of Web spoofing involves an attacker that is
able to see and make changes to Web pages that are transmitted to or from another
computer (the target machine).These pages can include confidential information
such as credit card numbers entered into online commerce forms and passwords
that are used to access restricted Web sites.The changes are not made to the actual
Web pages on their original servers, but to the copies of those pages that the
spoofer returns to the Web client who made the request.
The term spoofing refers to impersonation, or pretending to be someone or
something you are not.Web spoofing involves creating a “shadow copy” of a Web
site or even the entire Web of servers at a specific site. JavaScript can be used to
route Web pages and information through the attacker’s computer, which impersonates
the destination Web server.The attacker can initiate the spoof by sending email
to the victim that contains a link to the forged page or putting a link into a
popular search engine.

SSL does not necessarily prevent this sort of “man-in-the-middle” (MITM)
attack; the connection appears to the victim user to be secure because it is secure.
The problem is that the secure connection is to a different site than the one to
which the victim thinks they are connecting. Although many modern browsers will
indicate a problem with the SSL certificate not matching, hyperlink spoofing exploits the fact that SSL does not verify hyperlinks that the user follows, so if a user gets to
a site by following a link, they can be sent to a spoofed site that appears to be a
legitimate site.

Web spoofing is a high-tech form of con artistry, and is also often referred to as
phishing.The point of the scam is to fool users into giving confidential information
such as credit card numbers, bank account numbers, or Social Security numbers
to an entity that the user thinks is legitimate, and then using that information
for criminal purposes such as identity theft or credit card fraud.The only difference
between this and the “real-world” con artist who knocks on a victim’s door and
pretends to be from the bank, requiring account information, is in the technology
used to pull it off.
There are clues that will tip off an observant victim that a Web site is not what
it appears to be, such as the URL or status line of the browser. However, an
attacker can use JavaScript to cover their tracks by modifying these elements.An
attacker can even go so far as to use JavaScript to replace the browser’s menu bar
with one that looks the same but replaces functions that provide clues to the invalidity
of the page, such as the display of the page’s source code.
Newer versions of Web browsers have been modified to make Web spoofing
more difficult. For example, prior to version 4 of Netscape and IE, both were
highly vulnerable to this type of attack. A common method of spoofing URLs
involved exploiting the ways in which browsers read addresses entered into the
address field. For example, anything on the left side of an @ sign in a URL would
be ignored, and the % sign is ignored. Additionally, URLs do not have to be in the
familiar format of a DNS name (such as www.syngress.com); they are also recognized
when entered as an IP address in decimal format (such as 216.238.8.44), hexadecimal
format (such as D8.EE.8.2C), or in Unicode.Thus, a spoofer can send an e-mailed link such as www.paypal.com@%77%77%77.%61%7A.%72%
75/%70%70%64,” which to the casual user appears to be a link to the PayPal Web
site. However, it is really a link (an IP address in hex format) to the spoofer’s own
server, which in this case was a site in Russia.The spoofer’s site was designed to
look like PayPal’s site, with form fields requiring that the user enter their PayPal
account information.This information was collected by the spoofer and could then
be used to charge purchases to the victim’s PayPal account.This site packed a
double whammy—it also ran a script that attempted to download malicious code
to the user’s computer. Because URLs containing the @ symbol are no longer
accepted in major browsers today, entering the URL in browsers like IE 7 produces
an error. Unfortunately, this exploit allowed many people to be fooled by this
method and fall victim to the site, and there is no reason why someone simply
couldn’t use a link in hexadecimal format today to continue fooling users.
The best method of combating such types of attacks involves education. It is
important that administrators educate users to beware of bogus URLs, and to look
at the URL they are visiting in the Address bar of the browser. Most importantly,
they should avoid visiting sites that they receive in e-mails, unless it is a site they
are familiar with. It is always wiser to enter addresses like www.paypal.com directly
into the address bar of a browser than following a link on an e-mail that is indecipherable
and/or may or may not be legitimate.Even though the site appeared to be legitimate at first glance, reading the information
made visitors realize that the site was a spoof in its truest form.The features
of the bogus browser claimed to download pornography up to 10 times faster,
tabbed browsing that allows a user to switch from one Microsoft site to another,
and the feature of shutting down unexpectedly when visiting sites like Google,
iTunes, Apple, and so forth.While the site appears as nothing more than a parody
of Microsoft, it shows how simple it is to create a site that can fool (no matter how
briefly) users into thinking they’re visiting a site belonging to someone else.