Identity theft topped the list of consumer complaints about fraud, according to the U.S. Federal Trade Commission’s annual report for 2005, accounting for 255,000 of the more than 686,000 complaints filed with the agency in 2005 (www.ftc.gov/opa/2006/01/toptenhtm). A prepared statement by the FTC to the U.S. House of Representatives March 30, 2006 [11] said identity theft victimizes nearly 10 million Americans, with costs to businesses and consumers of almost $53 billion in 2003, a 79% increase over 2002 [9].
The phenomenon of Web spoofing, or creating hoax Web sites that closely mimic real sites in order to extract personal financial information from unwary Web visitors, is an increasingly popular form of online scam that contributes to identity-based credit and financial fraud and threatens to undermine consumer confidence in Internet shopping and banking [3]. The FBI has referred to spoofing as “the hottest, and most troubling, new scam on the Internet … contributing to a rise in identity theft, credit card fraud, and other Internet frauds” [2]. Approximately 30 such hoax attack sites are detected each day, even as many more go undetected [12].
Major U.S. businesses and government Web sites (such as BestBuy [5], eBay, PayPal [10], the Internal Revenue Service [8], and the Massachusetts State Lottery), as well as several banks (Citibank being the most frequently targeted [4]), report being victimized. Records of attacks and statistics are available through www.antiphishing.org, a Web site maintained by the Anti-Phishing Working Group, an industry association that aims to eliminate the identity theft and fraud that result from phishing and email spoofing. It was founded by Tumbleweed Communications along with a number of member banks, financial service institutions, and e-commerce providers. In 2003, Amazon.com, eBay, McAfee Security, Microsoft, Verisign, Visa, and other online retailers formed the Coalition on Online Identity Theft, aiming to raise awareness and educate the public about the growing threat of Web spoofing and how to defend against it [9]. It works with the FTC, the U.S. Department of Justice, and other federal, state, and local law enforcement agencies to design policies, enforcement methods, and penalties against online scams.
Their seriousness is reflected in the close collaboration between the FBI and victimized businesses throughout the U.S. [2], as well as in two bills passed in 2004 by the House of Representatives—the Securely Protect Yourself Against Cyber Trespass, or SPY, Act (HR 2929) and the Internet Spyware Prevention, or I-SPY, Act (HR 4661); in both, phishing (an integral part of spoofing) was listed among the prohibited scam activities.
My aim here is to establish a spoofing research agenda, outlining the technological principles enabling the phenomenon. Included is a comprehensive analysis of two sophisticated attacks—PayPal (April 2004) and Citibank (November 2004)—along with common attack features and effective client-side defense strategies.
The typical cycle of this type of Internet fraud involves two distinct phases: spoofing followed by phishing. In a spoof attack, a fake Web site is designed to look like a legitimate Web site, sometimes using its components or whole pages copied from the original. Advanced client technologies allow the “shadow copy” to forge some of the browser’s cues that determine the original site’s authenticity. The most sophisticated such attacks mimic the authentic URL in the address, status, and title bars of a Web browser.
Phishing directly targets online users through a process initiated when the spoofing phase is completed. It usually begins with a bulk email campaign to Internet users or through a link posted on discussion-group sites or chat rooms. Users are told there are problems with their account(s). The message is written to sound alarming (such as “the account is suspended,” “account abuse is noticed,” or “there are problematic activities”) and urges recipients to visit the site to confirm their identity. They are made to feel they must rush to fix the “account problem” and ignore the fraudulent format and content of the message or Web site. Phishing aims to make users believe they are receiving email from a trusted source or are securely connected to a trusted Web site when the converse is true.
The attacker usually creates a link to the fake (spoofed) Web site, but the URL of the legitimate Web site, through link alteration, is displayed instead. Following the link by clicking on it in the email message, victims connect to the spoofed site. Once they enter username/password—thinking they are at an authentic site—the attacker is able to record all of their activities and retrieve their sensitive personal information. The attacker may then use it to withdraw money from their accounts or cause harm in other ways, including identity theft.
In spoofing fraud, both legitimate businesses and their customers are victims. The businesses’ Web sites are copied in order to lure their customers into the fake ones; the customers give credit card and other sensitive information to defrauders, thus increasing the likelihood of financial fraud and loss.
A variant of phishing—domain hijacking—is another way to divert Internet traffic intended for legitimate Web sites toward spoof Web sites. Major U.S. companies (such as Adobe, Microsoft, Nike, and Yahoo) have all experienced it. An attacker finds a way to send a command to the DNS servers to alter the IP addresses in the DNS databases, thereby pointing traffic intended for one domain to another domain chosen by the attacker. Because it has fooled the DNS server into believing it is a trusted host, the DNS server allows the update. All traffic querying the DNS server for the real Web site is redirected to the spoof site.
Technology Flaws
The SMTP and HTTP protocols both have flaws that allow for spoofing, while scripting and other client technologies pose threats to e-commerce [6, 7]. From a broader perspective, Web spoofing takes advantage of weak email and Web-site authentication. Email flaws allow for “email spoofing” where the header of an email message appears to have originated from someone or somewhere other than its actual source [7]. Advanced content technologies (such as ActiveX controls, Java applets, and JavaScript) allow spoofers to create pages and email messages that mislead users into giving away their data, especially when it involves their finances. In addition, few users check server security certificates or question the details of the personal information they’re being asked to provide.
In a notorious PayPal attack (April 2004), the spoof site was identical to PayPal’s real site, including the same graphics, layout, and text. Many pages were meticulously copied, including “Report a Spoof” and “Avoid Fake Web Sites” pages. All the links from the home page appeared to function normally and did not leave the spoof Web site (see Figure 1). The Web site also handled the registration of new users, with pop-up “Help” windows, including graphic verification against mass batch registration (see Table 1). With a database-driven registration, newly registered users who later provided inaccurate authentication would be redirected to a page requesting faxed information with photocopies of valid IDs and financial statements and invoices (see Figure 2).
Moreover, showing elaborate technological sophistication, the spoof site was able to register victims on the real PayPal Web site, as confirmed by my own experiment trying to register on the spoof site in April 2004. In the final step of the registration, control was passed to the real PayPal Web site, allowing new users to transfer money and manage a new account. The cookie placed on the client by the authentic PayPal Web site contained the same email address used in the spoof site registration. A successful login at PayPal’s authentic site with the email/password registered at the spoof site confirmed that a real PayPal account had been created. Since the registration originated on the spoof site, all the personal data had been captured by the defrauders, granting them access to and allowing them to potentially abuse the newly created PayPal account.
Phishing aims to make users believe they are receiving email from a trusted source or are securely connected to a trusted Web site when the converse is true.
For existing PayPal users, authentication against the real PayPal database was not possible since defrauders lacked access to it. Thus, arbitrary email and passwords can be entered on the login page. Upon “logging in,” users arrive at the “Verify Information” page, where they were asked detailed personal information, as in Figure 2. The spoof site login page included a “Forgot Your Password?” page, where unsuspecting legitimate users could enter their email addresses, with a subsequent Web page notifying them that an email message with the password had been sent. However, no such email would ever be received, since the defrauders had no way of knowing the authentic PayPal password for existing users.
Table 1 outlines the technological principles used to cover the spoofer’s tracks and prevent legitimate users from detecting the deception. Included are several giveaways, with screenshots provided as needed. Recent versions of spoof sites display “login failure” messages so as not to raise user suspicion if the user has typed arbitrary letters. This may give the impression that the Web site is authentic and indeed does check passwords, prompting them to divulge their personal data.
Widely published advice on how to identify and protect from deception becomes obsolete quickly, as defrauders learn from their mistakes and improve their techniques. Substantial technological improvements distinguish recent spoof sites compared to their predecessors from even only a year ago. For example, Microsoft (www.microsoft.com/athome/security/ email/phishing.mspx), the FBI [2], and the IRS (www.irs.gov/newsroom/article/0. .id=155682,00.html), as well as other recently publicized cases [5], recommend ways to spot scams through their flaws:
- Authentic sender’s domain. One way to spot a scam is to watch the sender’s domain. The bogus email message’s “From” field (the sender’s address) lacks the authentic domain (such as @bestbuy.com) from which it claims it was sent. This flaw was eliminated in the PayPal (where email was read as being from service@paypal.com) and Citibank spoof cases;
- Fake URL. The link in the message directs users to a page under a completely different domain name, using the authentic site’s URL as a substring or containing IP addresses or suspicious usernames. This flaw did not apply to the PayPal spoof, because a JavaScript code hijacked the browser’s URL bar in Table 1 and displayed the URL of the authentic site. In the Citibank attack, however, the URL failed to overlap the authentic address bar, appearing just below it—a very obvious sign of a hoax Web site (see Figure 3); and
- Sloppiness, spelling mistakes, bad English. The PayPal spoof case was a complex and perfect mirror of the authentic site.
Conclusion
While most protection recommendations issued by the government and by major software vendors become obsolete as spoof sites and their masters improve their technological ability to deceive unwary users, the best way for users to avoid being victimized is to simply be aware of the spoofing phenomenon and its consequences. Awareness was identified in [6] as a major predictor of users’ preventive practices and their attitude and behavior toward potentially harmful technologies, including spyware, viruses, and spoofing.
The most effective protection for the individual user is to make a rule never to log into a Web site by accessing it from a link residing in an email message or on an untrusted Web site (such as a discussion board or chat room). The best way to safely login to an e-commerce Web site is to open the browser and type the URL on the address bar (see Table 2). The DNS hijacking spoof is the only type of online fraud that cannot be prevented through this precaution. However, DNS hijacking is increasingly rare as DNS server robustness and security improve.
Spoof frauds cause significant business, personal, and social damage. The anonymous Internet environment, along with database-driven information systems, facilitate and optimize e-commerce customers’ online activity. Ironically, these e-commerce elements have also created an environment that is conducive to identity theft. Identifying a person through a multiple-digit ID number makes it easier to find a way to get the ID that unlocks an account than to steal from a physical location. Increased online identity theft risks customer disillusionment, weakened brand loyalty, and resistance to e-commerce.
There are two major fronts in the fight against spoofing: increased public awareness and research into new technologies that help consumers identify spoof sites. Each involves educating organizations and the public to protect themselves when going online. Until more robust spoof-guard technologies and regulatory mechanisms eliminate spoofing and phishing as threats, “in the world of online banking and e-commerce, the price to be paid for personal security is eternal vigilance” [1].
Figures
Figure 1. PayPal (April 2004) spoof site (screenshots rescaled). Fake PayPal URL appears directly over the Internet Explorer address bar, but the IE icon overlaps the first two letters (ww) of the URL in the top screenshot. The Web page on the bottom is reached if a newly registered user is unsuccessful logging in.
Figure 2. PayPal (April 2004) spoof Web site. After the user “logs in,” the site describes the steps for “reinstating an account” (top screenshot). On the bottom, it provides a pop-up window “Why PIN is required” to enhance the site’s credibility and authenticity. Giveaways: In the bottom screenshot, if the browser’s preferences are set to prompt for cookies, the cookie-prompt box displays the real URL; the status bar (in the top screenshot) shows the real URL while loading the Web page.
Figure 3. Citibank (November 2004) spoof site (screenshot rescaled). Depending on the the Google toolbar installed, the fake address bar fails to overlap the true IE address bar, appearing below it, an obvious giveaway.
Join the Discussion (0)
Become a Member or Sign In to Post a Comment