Web Spoofing is Tricking Someone into visiting a Website other than one they intend to visit, by creating a similar website. Web Spoofing is a Phishing Scheme. Nearly every aspect of social, government, and commercial activity is moving into electronic settings. The World Wide Web is the de facto standard medium for these services. Inherent properties of the physical world make it sufficiently difficult to forge a convincing storefront or ATM that successful attacks create long-cited anecdotes. As a consequence, users of physical services stores, banks, newspapers have developed a reasonably effective intuition of when to trust that a particular service offering is exactly what it appears to be. However, moving from “bricks and mortar” to electronic introduces a fundamental new problem: bits are malleable.
This paper describes an Internet security attack that could endanger the privacy of World Wide Web users and the integrity of their data. The attack can be carried out on today's systems, endangering users of the most common Web browsers, including Netscape Navigator and Microsoft Internet Explorer. In short, the attacker observes and controls everything the victim does on the Web.
Spoofing means pretending to be something you are not. In Internet terms it means pretending to be a different Internet address from the one you really have in order to gain something. That might be information like credit card numbers, passwords, personal information or the ability to carry out actions using someone else’s identity. IP spoofing attack involves forging one's source address. It is the act of using one machine to impersonate another.Web spoofing allows an attacker to create a "shadow copy" of the entire World Wide Web. Accesses to the shadow Web are funneled through the attacker's machine, allowing the attacker to monitor the all of the victim's activities including any passwords or account numbers the victim enters. The attacker can also cause false or misleading data to be sent to Web servers in the victim's name, or to the victim in the name of any Web server.
Starting the Attack:
* The attacker must somehow lure the victim into the attacker’s false web. There are several ways to do this. * An attacker could put a link to false Web onto popular Web page * If the victim is using email, the attacker could email the victim a pointer to false Web. * Finally, the attacker could trick a web search engine into indexing part of a false Web.
Spoofing attacks in the physical world as well as the electronic world:
* People using computer system often makes security relevant decisions based on Social engineering they see.
you might decide to type in you account number because you believe you are visiting your bank’s web page. This belief might arise because the page has a familiar look.
Ways of Trapping Victim:
* A browser presents many types of context that users might rely on to make decisions. * Appearance – the appearance of an object might convey a certain impressions * Name of Objects – people often deduce what is in a file by its name. * Timing of Events – if 2 things happen at the same time, the user might think they are related.
Work in the Past :
In 1996, “Feltan et al “at Princeton originated the Term WEB SPOOFING and explored spoofing attacks in Netscape Navigator & Internet Explorer He made a Shadow copy of few websites by using Java Script, and when victim accessed the shadow web, he was able to monitor his all activities
In same year “De Paoli” suggested 2 methods of web spoofing * A client downloads Honey-pot HTML document that has embedded spy Applet. * As client opens new webpage ,a new Java thread starts sending info. * To attacker Other attack involved use of applets, to steal sensitive info. Such as passwords by social engineering