We visit websites in search of a desired result: information, a transaction, interaction, or some free or paid service. The natural tendency is to assume that a known website will do them no harm. That’s certainly the intent of the site’s designers and owners, who may depend upon the site to provide information and process sales. Website forgery takes advantage of the user’s assumption of safety, often leaving the user unaware of the security breach.

We will examine two common categories of website forgery: cross-site scripting and website spoofing.

What is cross-site scripting?

Often abbreviated XSS, cross-site scripting takes advantage of the fact that the user’s browser will normally run script code presented by a website. If it did not–if the user had to sign off on every bit of scripting served up–most users might not bother to go to such a website. While the code can be written in Flash, ActiveX, or VBScript, JavaScript is the phisher’s most common language for the simple reason that nearly all modern websites use it.

XSS has potential on any website that allows the user to modify a page; this is most often found where a site allows users to post comments. The attacker posts a comment including malicious code that can trigger a script of that attacker’s choice. All users’ browsers visiting that page–at least, all those lacking robust security measures–will execute whatever scripts the website transmits with the page. Both website maintainer and website visitor are the victims, because the phishers have weaponized a page to use it for mischief the site designers never intended.

How can XSS harm the user?

For one thing, it can steal the user’s cookies. Many users’ login information resides in cookies–small files maintained by the user’s browser–and JavaScript has access to those cookies. If a browser cookie stores someone’s online banking login and password, XSS can enable a phisher to obtain those. A sophisticated XSS attack can turn a website into an identity theft engine, supplying a steady flow of stolen logins to a site under the attacker’s control. The attacker can attempt to exploit or market the information, which can have a long shelf life if no one detects the theft right away. Since users most often change passwords in response to a site requirement, a gradually declining percentage of the logins will remain valid for some time.

Do web designers take the XSS threat seriously?

Most do, though many could do a better job of testing their sites’ vulnerability to XSS. Some consider it the user’s problem, a shortsighted policy because anything that makes a website do the wrong thing is a problem for that site’s owner. Often the user is a customer, and if the customer learns that a site’s lax security caused him or her inconvenience or harm, most customers will blame the firm or agency that owns the site.

How can users protect themselves from XSS risks?

Since JavaScript is such a common language, one might not always want to let it operate. Some browsers have begun to build in XSS protection, such as Internet Explorer v8 and higher. It’s worthwhile to check one’s browser options with regard to security, always remembering that a more current browser version will tend to mean more current protection.

Some add-ins, such as NoScript for Firefox, will allow the user to permit or deny scripts permission based upon their domain of origin. While this has its place–and it can be fascinating to see just how many different sites are firing off code in order to assemble the webpage that appears before one–not everyone is patient with the need to restore script permissions one at a time until it happens to enable the script that allows the menu to work. Most users will want to grant blanket permission to scripts emanating from oft-used sites.

NoScript also allows the browser to refuse external websites’ (those outside the chosen site the user interacts with) requests for internal (user’s computer) resources. This comes up in the form of a pop-up that will give the user time to ponder whether the request might be legitimate. If it is, the user may permit the request.

If one keeps track of one’s passwords, one can record when they are changed. Not many users might go to this length, but if one established a policy of changing any password three months old or older, it would add some protection in case one’s login were sitting in a file awaiting exploitation. Even if one doesn’t decide to keep records, if it’s an old password, consider changing it just because.

Security Awareness

Easiest and perhaps above all: update your browser, its add-ons, your security software, and your operating system. Every day, the bad guys and gals get a little smarter. So do the good guys and gals, but in order to benefit from their most current knowledge, one must install it.

What is website spoofing?

The website spoofer scams the public by creating a fake website in the image of some legitimate site, for example resembling a bank or brokerage’s site. In some cases, the aim is parody or comedy, but other spoofs are designed to obtain users’ personal information for malicious purposes.

What methods do website spoofers use?

One very common approach involves a doppelganger of the real site, hosted under a slightly different domain name which the real site’s owner cannot control. Imagine for example the site www.acmeintergal.com owned by Acme Intergalactic Corp.; the spoofers want to lure traffic, so they register www.acmeintergalcorp.com and mock up a rather convincing version of the real Acme website. It might not fool some longtime customers, but when it comes up on a search engine, it stands a better chance of fooling those with no firm idea what to expect. It will probably collect some useful identity information, and some authentic acmeintergal.com logins, before legal action puts it out of business.

Another common approach, though rarely well executed, tries to lure the mark with e-mail. The bad actors make up a mass email with realistic-looking logos, warnings, and notifications. It differs only in delivery from the IRS imposters who call on the phone and try to browbeat random people into sending them money. The e-mail warns the recipient to click on a link that will take them to the ‘company’ website, where the matter can be straightened out. In reality, of course, that link goes directly to a spoofed website, which will do whatever it was designed to do–usually collect their login information.

URL cloaking is another spoofing method. The spoofer uses URL redirection or control characters to make the user believe s/he is in the right place, but it isn’t so.

DNS poisoning, often called cache poisoning or DNS cache poisoning, is a fiendishly clever trick that gets a DNS server to accept fiction as truth. Since the job of a DNS server is to convert domain names (e.g. companyurl.com) to the actual IP address associated with each name, this is like issuing a fake phone book with scam numbers substituted for some real ones. A DNS server remembers recent entries for a time, called “caching.” If the server’s DNS software is out of date–as is an alarming proportion of the DNS software in use today–that server may accept a fake entry as genuine, thereafter (until the cache is cleared) redirecting the request somewhere the DNS server owner never intended.

Then there’s IP spoofing, which involves a hacker’s machine pretending to be a different machine, replacing the correct source IP with the hacker’s IP. It’s not the easiest hack in the catalogue, but the determined hacker can get a lot of information that is none of his or her business.

How can one avoid website spoofs?

A phony version of the real website may contain subtle mistakes, generally in English grammar or usage. Some such mistakes are obvious enough to stand out to the average user. Most major companies exert great effort to look their best online, especially when an embarrassing mistake can be screen-captured and passed around for lasting amusement. These companies hire professional writers and proofreaders, and do not long tolerate such mistakes in public presentation, so a webpage riddled with English errors is always suspicious. If the writing looks a little “off,” so may the site be also.

The same caution applies to an e-mail purporting to emanate from a respectable nonprofit or governmental institution, since they do not typically make such errors. However, a greater “tell” is that respectable entities almost universally avow that they will never send such e-mails. If the IRS has an issue with someone’s taxes, it sends registered mail. If your bank account has a problem, the bank writes to you. In no case will such institutions send you an e-mail asking for your login information, for precisely this reason.

Look at the URL that appears in your browser as you pass your mouse over a suspicious link on a webpage or in an email. If an email tells you to rescue your Megabancorp Visa account by clinking on this link, do an independent search to ascertain the real Megabancorp Visa webpage. Call their customer service phone number from that page and ask if there’s a problem. If you describe what you received or saw, they will probably congratulate you on dodging a spoof attempt.

Lastly, be observant. That which sounds strange should raise red flags, whether you encounter it as a search engine result or in an e-mail. If something doesn’t feel right, it probably is. And when in the slightest doubt, use an independent resource to find a company or agency’s contact information, and ask the organization to clarify. Most would far rather have you do that than be taken in by an impostor.

Website forgery and phishing go hand-in-hand. Phishing scams often involve website forgery in their arsenal of tools. One key to knowing how to thwart this sneaky approach is to know what you and your colleagues need to be watching for. SecurityIQ’s PhishSim service allows you to run simulated phishing attacks on your friends, family, or employees, helping them to become savvier at detecting suspicious activity, while helping you to see who in your network needs the most information.

What does the future hold for website forgery?

We can’t be sure. We can assume that smart thieves, often beyond the physical reach of effective legal restraint or threat, will continue to use their skills and creativity for new forms of theft. If something looks or feels odd, weird, or doesn’t really make sense, you may be experiencing the latest evolution of this phishing strategy. Think before you click; submit a login only where you are sure it’s safe; distrust and check out whatever seems strange. The methods will change, but the cautionary reflex will refine over time.

====

Sources:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://securityiq.infosecinstitute.com/

https://www.nsa.gov/ia/_files/factsheets/XSS_IAD_Factsheet_Final_Web.pdf

https://www.fbi.gov/news/pressrel/press-releases/fbi-says-web-spoofing-scams-are-a-growing-problem/

https://www.sfbay-infragard.org/Documents/phishing-sfectf-report.pdf

http://www.lookstoogoodtobetrue.com/fraudtypes/phishing.aspx

http://www.itsecurity.com/security.htm?s=3234

http://infocellar.com/networks/Security/ip-spoofing.htm

Be Safe

Section Guide

Chris
Sienko

View more articles from Chris

SecurityIQ has published a number of videos on social engineering and phishing. You can sign up for a free account to browse their resources and test how phishing savvy you really are.

Section Guide

Chris
Sienko

View more articles from Chris
[i]
[i]