We visit websites in search of a desired result: information, a transaction, interaction, or some free or paid service. The natural tendency is to assume that a known website will do them no harm. That’s certainly the intent of the site’s designers and owners, who may depend upon the site to provide information and process sales. Website forgery takes advantage of the user’s assumption of safety, often leaving the user unaware of the security breach.
We will examine two common categories of website forgery: cross-site scripting and website spoofing.
What is cross-site scripting?
XSS has potential on any website that allows the user to modify a page; this is most often found where a site allows users to post comments. The attacker posts a comment including malicious code that can trigger a script of that attacker’s choice. All users’ browsers visiting that page–at least, all those lacking robust security measures–will execute whatever scripts the website transmits with the page. Both website maintainer and website visitor are the victims, because the phishers have weaponized a page to use it for mischief the site designers never intended.
How can XSS harm the user?
Do web designers take the XSS threat seriously?
Most do, though many could do a better job of testing their sites’ vulnerability to XSS. Some consider it the user’s problem, a shortsighted policy because anything that makes a website do the wrong thing is a problem for that site’s owner. Often the user is a customer, and if the customer learns that a site’s lax security caused him or her inconvenience or harm, most customers will blame the firm or agency that owns the site.
How can users protect themselves from XSS risks?
Some add-ins, such as NoScript for Firefox, will allow the user to permit or deny scripts permission based upon their domain of origin. While this has its place–and it can be fascinating to see just how many different sites are firing off code in order to assemble the webpage that appears before one–not everyone is patient with the need to restore script permissions one at a time until it happens to enable the script that allows the menu to work. Most users will want to grant blanket permission to scripts emanating from oft-used sites.
NoScript also allows the browser to refuse external websites’ (those outside the chosen site the user interacts with) requests for internal (user’s computer) resources. This comes up in the form of a pop-up that will give the user time to ponder whether the request might be legitimate. If it is, the user may permit the request.
If one keeps track of one’s passwords, one can record when they are changed. Not many users might go to this length, but if one established a policy of changing any password three months old or older, it would add some protection in case one’s login were sitting in a file awaiting exploitation. Even if one doesn’t decide to keep records, if it’s an old password, consider changing it just because.
Easiest and perhaps above all: update your browser, its add-ons, your security software, and your operating system. Every day, the bad guys and gals get a little smarter. So do the good guys and gals, but in order to benefit from their most current knowledge, one must install it.
What is website spoofing?
The website spoofer scams the public by creating a fake website in the image of some legitimate site, for example resembling a bank or brokerage’s site. In some cases, the aim is parody or comedy, but other spoofs are designed to obtain users’ personal information for malicious purposes.
What methods do website spoofers use?
One very common approach involves a doppelganger of the real site, hosted under a slightly different domain name which the real site’s owner cannot control. Imagine for example the site www.acmeintergal.com owned by Acme Intergalactic Corp.; the spoofers want to lure traffic, so they register www.acmeintergalcorp.com and mock up a rather convincing version of the real Acme website. It might not fool some longtime customers, but when it comes up on a search engine, it stands a better chance of fooling those with no firm idea what to expect. It will probably collect some useful identity information, and some authentic acmeintergal.com logins, before legal action puts it out of business.
Another common approach, though rarely well executed, tries to lure the mark with e-mail. The bad actors make up a mass email with realistic-looking logos, warnings, and notifications. It differs only in delivery from the IRS imposters who call on the phone and try to browbeat random people into sending them money. The e-mail warns the recipient to click on a link that will take them to the ‘company’ website, where the matter can be straightened out. In reality, of course, that link goes directly to a spoofed website, which will do whatever it was designed to do–usually collect their login information.
URL cloaking is another spoofing method. The spoofer uses URL redirection or control characters to make the user believe s/he is in the right place, but it isn’t so.
DNS poisoning, often called cache poisoning or DNS cache poisoning, is a fiendishly clever trick that gets a DNS server to accept fiction as truth. Since the job of a DNS server is to convert domain names (e.g. companyurl.com) to the actual IP address associated with each name, this is like issuing a fake phone book with scam numbers substituted for some real ones. A DNS server remembers recent entries for a time, called “caching.” If the server’s DNS software is out of date–as is an alarming proportion of the DNS software in use today–that server may accept a fake entry as genuine, thereafter (until the cache is cleared) redirecting the request somewhere the DNS server owner never intended.
Then there’s IP spoofing, which involves a hacker’s machine pretending to be a different machine, replacing the correct source IP with the hacker’s IP. It’s not the easiest hack in the catalogue, but the determined hacker can get a lot of information that is none of his or her business.
How can one avoid website spoofs?
A phony version of the real website may contain subtle mistakes, generally in English grammar or usage. Some such mistakes are obvious enough to stand out to the average user. Most major companies exert great effort to look their best online, especially when an embarrassing mistake can be screen-captured and passed around for lasting amusement. These companies hire professional writers and proofreaders, and do not long tolerate such mistakes in public presentation, so a webpage riddled with English errors is always suspicious. If the writing looks a little “off,” so may the site be also.
The same caution applies to an e-mail purporting to emanate from a respectable nonprofit or governmental institution, since they do not typically make such errors. However, a greater “tell” is that respectable entities almost universally avow that they will never send such e-mails. If the IRS has an issue with someone’s taxes, it sends registered mail. If your bank account has a problem, the bank writes to you. In no case will such institutions send you an e-mail asking for your login information, for precisely this reason.
Look at the URL that appears in your browser as you pass your mouse over a suspicious link on a webpage or in an email. If an email tells you to rescue your Megabancorp Visa account by clinking on this link, do an independent search to ascertain the real Megabancorp Visa webpage. Call their customer service phone number from that page and ask if there’s a problem. If you describe what you received or saw, they will probably congratulate you on dodging a spoof attempt.
Lastly, be observant. That which sounds strange should raise red flags, whether you encounter it as a search engine result or in an e-mail. If something doesn’t feel right, it probably is. And when in the slightest doubt, use an independent resource to find a company or agency’s contact information, and ask the organization to clarify. Most would far rather have you do that than be taken in by an impostor.
Website forgery and phishing go hand-in-hand. Phishing scams often involve website forgery in their arsenal of tools. One key to knowing how to thwart this sneaky approach is to know what you and your colleagues need to be watching for. SecurityIQ’s PhishSim service allows you to run simulated phishing attacks on your friends, family, or employees, helping them to become savvier at detecting suspicious activity, while helping you to see who in your network needs the most information.
What does the future hold for website forgery?
We can’t be sure. We can assume that smart thieves, often beyond the physical reach of effective legal restraint or threat, will continue to use their skills and creativity for new forms of theft. If something looks or feels odd, weird, or doesn’t really make sense, you may be experiencing the latest evolution of this phishing strategy. Think before you click; submit a login only where you are sure it’s safe; distrust and check out whatever seems strange. The methods will change, but the cautionary reflex will refine over time.
Recent Website Forgery Articles and Updates
- Domain Fronting
- Website Forgery
- Link Manipulation
- Phishing Tools and Techniques
- Phishing Variations and Related Attacks
- What Is Vishing?
- Phishing on Social Networks - Gathering information
- Tips to Avoid Social Media Website Phishers
- File Sharing Phishing: How you can Protect Yourself
- Phishing Checklist for Browsing Emails
- Amazon Phishing Template: Example and Preventing Attack
- How to Recognize Phishing Emails