Web Spoofing Attack

This article explains the seriousness of web spoofing attacks that is in fact difficult to handle.

With the advent and rapid spread of internet technologies and applications, the number of sophisticated cyber attacks have subsequently also been increasingly prevalent in the cyber atmosphere to weaken the IT security infrastructure. The initiators of various advanced levels of cyber attacks are usually seeking to break into the system by exploiting a weakness or vulnerability in the existing system using advanced tools and tactics. However, it is still to justify the apparent intention behind execution of cyber attacks, usually to damage, to gain fame, or to make money. Hence, this article unfolds the internal mechanics of packet spoofing cyber attacks that impacts critical IT resources and finally, discuss the way to subvert them and make our existing infrastructure foolproof.

Web Spoofing Attack

Web page spoofing, or phishing comes under social engineering attacks, is becoming a very prevalent technique among malicious hackers to gather account information from unsuspecting users. The following is the procedure to do a type of web page spoofing.

Step 1: Download the entire website files that you want to spoof using Wget or Teleport Pro tools.

Step 2: Alter the website, depending on your needs, to collect the information, such as credit card details, from unsuspecting users.

Step 3: Host the website, preferably with a domain name similar to that of your spoofed source (for example, http://www.ebeys.com instead of http:// www.ebay.com ).

Step 4: Obtain the IP address of the site you are hosting using NSLOOKUP, DIG, or PING and decode it into an address of 32-bit DWORDs. In the following sample, the private address 192.168.1.1 is used as the website address on an intranet. In order to cheat the victim, transform the dotted decimal address into a single, large decimal number, do the following:

  • Take the first octet as SEED1, 192 and multiply it by 16,777,216. This equals 3,221,225,472.

  • Take the second octet as SEED2, 168 and multiply it by 65,536. This equals 11,010,048.

  • Take the third octet as SEED3, 1 and multiply it by 256. This equals 256.

  • Next, add SEED1, SEED2 and SEED3 with the last octet (1). This equals 3,232,235,777 that will be your new DWORD value to obscure the website for unsuspecting users to go to.

Step 5: Now, obscure the web page using hexadecimal representations of the page name. For example, if you want to redirect the victim at this page called mypage.htm, it is suggested to obscure the file extension by replacing some of its letters with the hexadecimal ASCII code to confuse the victim. The ASCII value for “t” is 116, which in hex is 0x74. You can format the name, then, as account.h%074m. This hides the type of file that you are requesting the user to go to.

Step 6: Finally, draft an e-mail asking the user to go to your spoofed website that suggests the user to change their password. Henceforth, link the user to your website by adding the @ symbol after the real address followed by the obscured URL, instead of real website. Web browsers eventually, ignore anything before the @ symbol. The following is a sample e-mail demonstrating this @ technique:

Account System Cleanup

Step 7: The web address http://www.paypal.com@3232235777/account.h%074m is shown within the e-mail message as a legitimately correct address. Ultimately, it redirects the victim to a hacker website, where the hacker can ask them to put in their sensitive account information.

e-Mail Spoofing Attacks

An E-mail spoofing attack occurs when a malicious person impersonates another identity at the application layer and as such sending a fake mail on behalf of another legitimate user's identity. This attack is typically a part of web attacks where the hacker presents some bogus hyperlink before victims by means of e-mails and prompts him to open such a malicious link that redirects the user to hack their own site. This is a common mechanism to spread malware and a Trojan across the virtual atmosphere. The hacker plants a Trojan at his own server and sends that URL using e-mail spoofing to the victim. The moment they open that link, their machine will be compromised and the hacker gets full control remotely. Subsequently, there are a couple of methods by which a hacker sends fake mails to a victim on behalf of a valid identity. For example, in the following figure a hacker pretended to be Bill Gates and sent a mail to the victim as:

html editor

And the innocent is excited, OMG! Bill Gates! When he receives the mail something like the following:

innocent EXCITED

Here, the hacker tries to trick the innocent user to cheat him by sending such a fake mail from a legitimate identity and eventually an innocent person provides them their sensitive information.

invitation

Protection against spoofing attack

The administrator should implement a few preventive mechanisms to thwart the spoofing attack. However, such attacks are difficult to tackle. Awareness of the possibility of this attack is the ultimate way to tackle this attack. The users are therefore strongly advised to neither open any unidentified source attachment in the mail, nor open any unsolicited weblink embedded in the mail contents. Instead, manually enter the address of to be asked website directly in the browser address bar.

Conclusion

In this short article, we have seen the seriousness of web spoofing attack that is in fact, difficult to handle. It can result in a sensitive data loss or victim machine could be proven as a platform for the spread of a Trojan. We have came to understand web and email spoofing attacks that are a huge challenge for a network administrator to sort out. Placing a firewall with a proper configuration, switches and routers in a significant move to defend the network from spoofing. Finally, despite use of anti-spoofing tools and tactics, the infrastructure is still prone to this attack because awareness, especially among users, is the optimal solution to fight against this attack.