1Web Spoofing

Outline

•Motivation

•Web spoofing problem

•Web spoofing attacks – works done

•Web spoofing Countermeasures – works done

•New Idea

2Web Spoofing

Citibank scam - 2004

account holdercitibank

email

Not the real bankTricked to the wrong site

Your account was blocked , you have to fill a form in the

following link

3Web Spoofing

PayPal Targeted by Scam Artists - 2002

account holder

email

Not the real bankTricked to the wrong site

We are replacing the current system with a new one. click here to

fill your details.

https://www.paypal.com/cgi-bin/webscr/?cmd=_login-run

http://www.paypalsys.com/

4Web Spoofing

Bank Leumi – potential scam

http://www.leumi.co.ilhttp://www.bankleumi.co.ilhttp://www.leumibank.co.ilhttp://www.bll.co.ilConsistency Lack Complex Url Structure

5Web Spoofing

Our Players

server authentication is possible.

user server

performs sensitive tasks.

Is the browser-user communication model secure enough to warrant this assumption.

6Web Spoofing

He Wants to

check his bank account

Great. I get

it.Intended site

Faked site

Other sites

Faked

Faked

SiteSite! !

Internet

Spoofing is pretending to be someone else.

Web Spoofing

The user surf a “faked site” as it was the real one he intended to.

7Web SpoofingFaked Site

•Site that imitate another one in its appearance and action for malicious purposes.

•To succeed , the imitation process must take into account the level of awareness of the potential victim.

Content imitation Content & Status imitation

•Imitate the page content

•Created by copying HTML files.

•“fine” for users who judge sites according to their Visual Context.

•page content as sent by the server

•Status information produced by the browser

•Actions must be imitated

•Requires some programming efforts.

•“fine” for sophisticated users.

8Web SpoofingHow the Users Get “Phished”

•Normal surfing

•Link in popular web page

•Search engine

•Web-enabled email

•Sent by the attacker

•Man in the middle attack

•The attacker sit between the user and the real site

9Web Spoofing

•Web spoofing: An Internet Con Game -1996•Edward W.Felten and others.•spoofing entire WWW

attacks

remed

yWorks Done

•Web Spoofing Revisited: SSL and Beyond – 2002•Zishuang , Yuan and Smith.•Can users believe what their browsers tell them?

•Trust on Web Browser: Attack vs. Defence•No author given

•Trusted Paths for Browsers: An Open-Source Solution to Web Spoofing – 2002

•Zishuang , Yuan and Smith.•Demonstrate Open source solution

10Web Spoofing

request url

www.attacker.org

www.server.com

real page content

1

23

4

change page

5

spoofed page content

Request real url

•Victim somehow lured into the attacker Web.

•Victim remains trapped in the attacker’s web due to url rewriting .

http://home.netscape.com

rewritten

http://www.attacker.org/ http://home.netscape.com

4

11Web Spoofing

Complete the Illusion

•Still there some evidence that may disclose the attack.

•Status Line

•Mouse click/move events written in javascript

•Location Line

•Replace the original with fake one.

•Viewing Document Source

•Hide the menu bar and provide another

•SSL evidence do not help

•The secure connection made against the attacker’s site.

12Web Spoofing•The target was WebBlitz , a web-based e-mail system.

•The language used was Javascript.

•They take into account the browser type.(Netscape , IE).

•Create new window with all bars turned off .

•They provide a interactive fake bars instead.

•The location bar get input from keyboard

•A fake statusbar with lock icon to indicate SSL session.

•The fake statusbar updated as needed

•SSL warning windows spoofed also.

•They spoof the server certificate that emerged when lock icon double clicked

•Images were cached to improve load time

13Web SpoofingCountermeasures

•Browser Configuration & recommendations

•Configuring browser settings: disable javascript

•Short term

•Maybe selective

•Make sure the location bar always visible

•Make sure the url points to the server you intended to

•Browser Extension

•Extending functionality so the user interface is safe

•Long term

Good solution must prevent web spoofing and keep the browser in full functionality.

14Web Spoofing

Abstract

•suggest a solution that defend against web spoofing.

•create a trusted path from the browser to the user.

•implemented in Mozilla: open source browser.

Design Criteria

•Effectiveness

•User can correctly recognize large amount of status info

•Work

•Cannot expect users to do a lot of work

•Intrusiveness

•Minimize intrusion on content

15Web Spoofing

Rejected Approaches

•Preventing the open of windows with status elements turned off.

•What about pop-up warning window

•What about certificate information pages

•Constrict the display of server pages

•User enter a “MAC phrase” at startup and browser insert it in each status element.

•Adding some phrase to the title of windows.

16Web SpoofingSolution

•marking scheme that servers could not predict.

•This scheme marks the trusted status content.

•Synchronized random dynamic boundaries

SRD Window Types

untrusted trusted

Server material Browser material

Style of boundary changes in random.

17Web SpoofingAnimation of the Solution

18Web Spoofing

New Idea

•Creating a safe region in the top of each browser window.

•It is out of loaded sites control.

•Enable personal skinning.

•SSL secured sites identified by a logo in this region.

•Credential logos will appear in this region

•Implemented in Mozilla browser.

19Web Spoofing

לוגו לזיהוי

המלצה

אזור בטוח

20Web Spoofing

דפדפן הקמת ערוץ בטוח / אמות תעודת אתרשרת

TBSR רשימת המלצות ולוגויים ע"פ בקשה

המלצות נוספות מהאנטרנט

דפדפן משופר

Ineraction between TBRS and other entities

21Web Spoofing

CAMM SRCM

CTM CCM

דפדפן

אתר נצפה

מקורות נוספים

תעודת שרת ראשונית

ה מ ל צ ו ת

המלצות שנאספו

המלצות במבנה אחיד

מאפיינים ממופים ללוגיים

הצגת לוגויים באזור

הבטוח

TBRS Components