Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the.

Published byVernon Wilkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the."— Presentation transcript:

1 Web Spoofing John D. Cook Andrew Linn

2 Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the 1980’s as the concept of IP spoofing Discussed among academics in the 1980’s as the concept of IP spoofing IP Spoofing was used in a few early and well known attacks IP Spoofing was used in a few early and well known attacks IP Spoofing fell out of popularity (TCP) IP Spoofing fell out of popularity (TCP) Still done today in different forms. Still done today in different forms. Not all web spoofs are malicious Not all web spoofs are malicious

3 Phishing Pronounced fishing, just much less fun Pronounced fishing, just much less fun Broad term to describe attempted acquisition of private or sensitive information Broad term to describe attempted acquisition of private or sensitive information Passive or aggressive attack. Passive or aggressive attack. Not all phishing attacks are web spoofs Not all phishing attacks are web spoofs Nature of web spoofs make them a good choice however. Nature of web spoofs make them a good choice however. An example of the many uses of web spoofs An example of the many uses of web spoofs

4 Phishing Spoof Attacks Fairly common; They are easy and WORK!! Fairly common; They are easy and WORK!! “Man in the middle” attack “Man in the middle” attack Rewrites the URLs of a page Rewrites the URLs of a page http://www.cnn.com  http://www.cnn.com  http://www.cnn.com http://www.IAmAttacker.com/http://www.cnn.co m http://www.IAmAttacker.com/http://www.cnn.co m Users can get trapped in the attackers system Users can get trapped in the attackers system

5 Email Hoaxes Often a phishing attack as well as a type of spoof Often a phishing attack as well as a type of spoof Rely on carelessness or ignorance of the user Rely on carelessness or ignorance of the user Appear to be from legitimate service Appear to be from legitimate service Login IDs, Passwords, Credit Card Numbers, and SS numbers are the “booty” Login IDs, Passwords, Credit Card Numbers, and SS numbers are the “booty”

6 Email Hoaxes Cont. Some serve as a way to implement a web page spoof that in itself is a phishing attack. Some serve as a way to implement a web page spoof that in itself is a phishing attack. FSU Phishing Email Hoax FSU Phishing Email Hoax FSU Phishing Email Hoax FSU Phishing Email Hoax WoW Email Hoax WoW Email Hoax WoW Email Hoax WoW Email Hoax I love FireFox I love FireFox I love FireFox I love FireFox The purpose of the hoax The purpose of the hoax The purpose of the hoax The purpose of the hoax

7 Spoofs Today Because everything else was totally last month. Because everything else was totally last month. Video games are in. So is stealing them. Video games are in. So is stealing them. The downside of all info stored “server-side”. The downside of all info stored “server-side”. Online shopping = stolen credit cards. Yes, because us Americans just don’t go to the store anymore. Online shopping = stolen credit cards. Yes, because us Americans just don’t go to the store anymore.

8 Recognizing Spoofs Look for the lock at the bottom of your browser. Though this isn’t always indicative of a safe website Look for the lock at the bottom of your browser. Though this isn’t always indicative of a safe website Use a *good* browser. My ambiguity in that statement allows me to not be biased. Use a *good* browser. My ambiguity in that statement allows me to not be biased. Check certificates of the page Check certificates of the page Or just pay attention. Or just pay attention.

9 The “Shadow Web” Known as Web spoofing Known as Web spoofing First examined by Princeton researchers in 1996 First examined by Princeton researchers in 1996 Tested in 2002 by researchers at Dartmouth Tested in 2002 by researchers at Dartmouth Traps the user in attacker’s web Traps the user in attacker’s web Uses JavaScript to rewrite browser Uses JavaScript to rewrite browser Effectively spoofs the entire Web Effectively spoofs the entire Web

10

11 Sample fake tool bar pop-up Sample true tool bar pop-up Courtesy of Dartmouth College

12 Fake SSL warning window True SSL warning window Courtesy of Dartmouth College

13 The “Shadow Web” While plausible, it is unlikely While plausible, it is unlikely High yield = Huge effort High yield = Huge effort Various browsers, customization, and security software options prevent it from being a viable attack Various browsers, customization, and security software options prevent it from being a viable attack Acts as a Man-in-the-Middle attack Acts as a Man-in-the-Middle attack

14 “Shadow Web” Demonstration Courtesy of Felton et al Princeton University

15 The “Shadow Web” Attacks Simple surveillance -> Phishing attacks Simple surveillance -> Phishing attacks Data manipulation -> Man-in-the-Middle Data manipulation -> Man-in-the-Middle

16 The “Shadow Web” Detection Disable JavaScript Disable JavaScript Customize Customize Pop-up and spam blockers Pop-up and spam blockers Firewalls and other security software Firewalls and other security software

17 Computer Security Dilemma Most spoof attacks are user initiated Most spoof attacks are user initiated Hard to prevent from computer security side Hard to prevent from computer security side Security software falls short of user ignorance Security software falls short of user ignorance Broad audience uninformed Broad audience uninformed

18 Detection and Prevention Understand what will and will not be requested in an email Understand what will and will not be requested in an email Do not follow email links to edit account information. Instead, type the website’s URL address into the browser Do not follow email links to edit account information. Instead, type the website’s URL address into the browser Verify a URL before clicking on a link Verify a URL before clicking on a link Check the SSL certificate of a website before disclosing personal information Check the SSL certificate of a website before disclosing personal information

19 Sample Email Spoof

20

21 Motivations Most spoof attacks are phishing attacks Most spoof attacks are phishing attacks Some serve to smear a company’s reputation or hurt their finances with false reports Some serve to smear a company’s reputation or hurt their finances with false reports Others for fun or political goals Others for fun or political goals All spoofs, even those that are jokes, have the potential for harm All spoofs, even those that are jokes, have the potential for harm

22 Brick and Mortar Virtual world vs. physical Virtual world vs. physical Harder to verify Amazon.com than brick and mortar store Harder to verify Amazon.com than brick and mortar store Security software helps, but educated user base best defense against spoof attack Security software helps, but educated user base best defense against spoof attack

23 Criminal Act Identity theft is a growing concern Identity theft is a growing concern Spoofing is used in many phishing scams to facilitate identity theft Spoofing is used in many phishing scams to facilitate identity theft Most attackers use stolen or hacked machines Most attackers use stolen or hacked machines When caught, attackers must be punished appropriately When caught, attackers must be punished appropriately

24 Questions?

Download ppt "Web Spoofing John D. Cook Andrew Linn. Web huh? Spoof: A hoax, trick, or deception Spoof: A hoax, trick, or deception Discussed among academics in the."

Similar presentations

Phishing Scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information Phishing emails may contain.

Phishing Scams use spoofed s and websites as lures to prompt people to voluntarily hand over sensitive information Phishing s may contain.
Victoria ISD Common Sense Media Grade 6: Scams and schemes

Victoria ISD Common Sense Media Grade 6: Scams and schemes
Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.

Social Network Security Issues: Social Engineering and Phishing Attacks Jeffrey Allen, Leon Gomez, Marlon Green, Phillip Ricciardi, Christian Sanabria.
SECURITY CHECK Protecting Your System and Yourself Source:

SECURITY CHECK Protecting Your System and Yourself Source:
1 Identity Theft and Phishing: What You Need to Know.

1 Identity Theft and Phishing: What You Need to Know.
What is identity theft, and how can you protect yourself from it?

What is identity theft, and how can you protect yourself from it?
1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.

1 Identity Theft: What You Need to Know. 2 Identity Theft Identity theft is a crime of stealing key pieces of someone’s identifying information, such.
Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.

Network Security aka CyberSecurity Monitor and manage security risks at the network level for the entire Johns Hopkins Network.
Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.

Phishing and Pharming New Identity Theft Threats Presentation by Jason Guthrie.
Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.

Bsharah Presentation Threats to Information Security Protecting Your Personal Information from Phishing Scams.
DO YOU LOVE FISHING “PHISHING” ? OR Global Wealth Management Group MORGAN STANLEY & SMITH BARNEY A term used to describe fraudulent attempts to steal.

DO YOU LOVE FISHING “PHISHING” ? OR Global Wealth Management Group MORGAN STANLEY & SMITH BARNEY A term used to describe fraudulent attempts to steal.
Jason Rich CIS - 158 1.  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.

Jason Rich CIS  The purpose of this project is to inform the audience about the act of phishing. Phishing is when fake websites are created.
Internet Phishing Not the kind of Fishing you are used to.

Internet Phishing Not the kind of Fishing you are used to.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Spoofing Rafael Sabino 10/28/2004. Introduction What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies.

Spoofing Rafael Sabino 10/28/2004. Introduction What is spoofing? Context and Security relevant decisions Phishing Web spoofing Remedies.
Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.

Scams and Schemes. Today’s Objective I can understand what identity theft is and why it is important to guard against it, I can recognize strategies that.
BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 

BTT12OI.  Do you know someone who has been scammed? What happened?  Been tricked into sending someone else money (not who they thought they were) 
DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?

DIGITAL CITIZENSHIP 6 TH – 8 TH UNIT 1 LESSON 3 SCAMS & SCHEMES What is identity theft, and how can you protect yourself from it?
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Lecture 11 Electronic Business (MGT-485). Recap – Lecture 10 Transaction costs Network Externalities Switching costs Critical mass of customers Pricing.

Similar presentations

Ads by Google