A Technical Report On Web Spoofing Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

This paper describes an Internet security threat that could endanger the privacy of World Wide Web users and the integrity of their data. The attacker resort to social engineering to fraudulently acquire sensitive information, such as credit card details, passwords, and social security numbers. The targeted victim is given the impression that the attacker is a trustworthy person or business, and the victim confidently hands over the requested information. In this article we will look at the various methods by which a attacker spoofs the whole world wide web, some of which are commonly used today, and show how to detect and counter them.

Spoofing is the creation of a false world in which a user's actions, undertaken as if they are in real world, can have potentially disastrous effects. In a spoofing attack, the attacker creates misleading context in order to trick the victim into making an inappropriate decision that might lead to unauthorized tampering with data.

Web spoofing is a kind of electronic game in which the attacker creates a convincing but false copy of the entire World Wide Web. The false Web looks just like the real one; it has all the same pages and links. However, the attacker controls the false Web, so that all network traffic between the victim's browser and the Web goes through the attacker host. Web spoofing is really about making the copy convincing enough to make victims believe they are in good hands.


A term related to Web Spoofing is Phishing. Phishing means persuading individuals into giving away valuable information, often through popular Internet communication channels.

These attacks are not limited to the electronic world, they can occur in physical world also like an ATM machine can be Spoofed when a criminal attaches a micro camera and a skimmer (a device that seamlessly attaches over the ATM's real card reader) to retrieve PIN number or any other information of the user.


Given an attacker-created "shadow copy" of the World Wide Web, an attacker can:

monitor a user's activities including passwords and account numbers

Send false or misleading data in the victim's name

The attacker does not really copy the whole web, but interposes himself between the victim and the Web so that all the network traffic between the victim's browser and the web goes through the attacker's host.

Spoofing the whole web

These attacks are mainly achieved through URL rewriting. The attacker's first trick is to rewrite all the URLs on some Web page so that they point to the attacker's server rather than to some real server. The attacker does so by prepending all the URL's with the attacker's host so that request is routed through it.

For example:

http://home.netscape.com/ becomes http://www.attacker.org/http://www.server.com/

Pages are then requested through www.attacker.org, which functions as a proxy to fetch the true page (in this case, http://www.server.com), applying any of the attacker's desired transformations in the process.

Figure 1: An example Web transaction during a Web spoofing attack.

Figure 1 shows an example of Web transaction during a Web spoofing attack. Here (1)The victim requests a Web page from the attacker's server; (2) the attacker's server then requests the page from the real server; (3) the real server provides the page to the attacker's server; (4) the attacker's server rewrites the page; (5) the attacker's server provides the rewritten version to the victim.

Once the attacker's server has fetched the real document needed to satisfy the request, the attacker rewrites all the URLs in the document into the same special form by splicing http://www.attacker.org/ onto the front. Then the rewritten pages are sent to the victim's browser through the attacker's server. Since all of the URLs in the rewritten page now point to the attacker's host, if the victim follows a link on the new page, the page will again be fetched through the attacker's server. The victim remains trapped in the attacker's false Web, and can follow links forever without leaving it.

Since any URL can be spoofed, forms can also be spoofed; spoofing of forms works naturally because forms are integrated closely into the basic Web protocols: form submissions are encoded in Web requests and the replies are ordinary HTML. So now the attacker can modify any data.

It is also possible to redirect users to malicious sites by defining proxies in the browser configuration. This is usually done by having the user install some sort of web extension (trojan/spyware) which then can override the settings present in the web browser.

"Secure" connections don't help

One distressing property of this attack is that it works even when the victim requests a page via a "secure" connection.

The victim's browser says it has a secure connection; the secure connection indicator is also turned on, because a secure connection is made. Unfortunately the secure connection is to www.attacker.org (attacker's host) and not to the place the victim thinks it is.

So the secure-connection indicator only gives the victim a false sense of security.

Properties of recent attacks

Here are some examples how the user is trapped into the spoofed page :

URL is made to appear the same on a quick glance (interchanging capital I with "eye", numeric 1 with "one", and lowercase l with "ell", or numeric 0 with "zero" and capital O with "oh")

URL uses IP address

URL uses @ "at" mark to include true site name in the URL to make it appear legitimate to user, but is used as a login/password combination by the browser.

Suggested Remedies

Web spoofing is a dangerous and nearly undetectable security attack that can be carried out on today's World Wide Web. Fortunately there are some protective measures we can take.

Disable JavaScript in your browser so the attacker will be unable to hide the evidence of the attack;

make sure your browser's location line is always visible;

pay attention to the URLs displayed on your browser's location line, making sure they always point to the server you think you're connected to.

You may still be victimised if you do not pay attention to the browser's location line.

Another solution is to change the browser to the one where a browser's location line is always visible.

There are some software's developed which help the user in identifying the fake pages. One such software is Quero.

Quero protects you against phishing tricks by highlighting suspicious characters in the host name.

Figure 2: Quero highlighting

Quero helps you to figure out on which website you really are by highlighting the registered domain in the address.

Figure 3: Quero highlighting <c,a,f,´e,U+0301>

Secure connections are indicated by a change of Quero's background color to yellow and by displaying the lock symbol in the toolbar. You are encouraged to check the web site's address.

Figure 4: Quero highlighting

There is a browser plug-in SpoofGuard also available that performs a number of checks to determine a page's validity. This Exists in browser memory context as a COM component for Internet Explorer. It also appears as a toolbar with visible alert for checking the validity of a page.


The appearance of a web page can be duplicated and subtly compromised.One of the most common ways to fool a user is focused toward the user to reveal its username, passwords or account information.

The implied "security" of a connection only applies to the network link between a victim and the site specified in the URL bar. So a secure connection is maintained between the victim and the attacker's host.

The solution is common sense: Be vigilant of links for "sensitive" sites, pay attention to the Location bar. Different software's have also been developed to help you combat the problem.