What Is Web Spoofing?

Web spoofing is the act of secretly tricking your Web browser into talking to a different Web server than you intend. How? By attacking the DNS (domain name system) that maps the "www.site.com" in a URL to a network address, or by modifying a Web page to have a bad URL, or by tricking your browser as it interprets CGI data, JavaScript, etc.

After your browser has been fooled, the spoofed Web server can send you fake Web pages or prompt you to provide personal information such as your login ID, password, or even credit card or bank account numbers. If done carefully, you probably will not even notice that you have been duped.

How to Spot a Spoofed Page

Some Web spoofing may be noticeable, so it is helpful to keep these tips in mind:

If you hold your mouse over a URL that is a link, the status line displays the corresponding URL. Be suspicious if the status line URL is different from what you think you should see.
When the Web page is being requested, the status line will show the name of the server. Beware if the server name is different from what you expected.
Your browser's location line is the place to watch for anything unusual about a site's URL.

Unfortunately, clues to a Web spoofing attack can be hidden if the attacker is using JavaScript (which can write to the status line and rewrite location line URLs) or a similar program that makes all requests for a particular URL go to the attacker's system. After obtaining the desired information, the spoofed Web site might even send you to the correct site.

Another way to think about Web spoofing is to be aware of where a link goes--whether to a place you expected or to someplace odd.

Private Information Requests

If Web pages with which you are familiar suddenly ask you to fill in private information, weigh the situation carefully before supplying it. If possible, call or send mail to the official source to verify that this change is legitimate. When in doubt, do not enter any information you feel uncomfortable providing.

Even a secure "https" connection (with Secure Sockets Layer) does not guarantee against surveillance or modification of information you send. If you are already connected to the attacker's system, you may simply be securely connected to the Web spoofer's server.

What to Do

If you think you are a victim of a Web spoof, report it to the official source of the page by phone or via an email address that you know to be correct. If you have been tricked into supplying your password, you should change it immediately.

To learn more about Web spoofing, start with this Web site: "Web Spoofing: An Internet Con Game" at bau2.uibk.ac.at/matic/spoofing.htm

University of Washington Computing & Communications
Windows on Computing, No. 22, Winter 1999
newsltr@cac.washington.edu