Website spoofing


Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website and sometimes has a similar URL. A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.
Another technique is to use a 'cloaked' URL. By using domain forwarding, or inserting control characters, the URL can appear to be genuine while concealing the actual address of the malicious website. Punycode can also be used for this purpose. Punycode-based attacks exploit the similar characters in different writing systems in common fonts. For example, on one large font, the greek letter tau is similar in appearance to the latin undercase letter t. However, the greek letter tau is represented in punycode as 5xa, while the latin undercase letter is simply represented as t, since it is present on the ASCII system. In 2017, a security researcher managed to register the domain xn--80ak6aa92e.com and have it show on several mainstream browers as apple.com. While the characters used didn't belong to the latin script, due to the default font on those browsers, the end result was non-latin characters that were indistinguishable from those on the latin script.
The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose website the spoofed site purports to represent. Because the purpose is often malicious, "spoof" is a poor term for this activity so that more accountable organisations such as government departments and banks tend to avoid it, preferring more explicit descriptors such as "fraudulent" or "phishing".
As an example of the use of this technique to parody an organisation, in November 2006 two spoof websites, www.msfirefox.com and www.msfirefox.net, were produced claiming that Microsoft had bought Firefox and released "Microsoft Firefox 2007."

Prevention tools

Anti-phishing software

Spoofed websites predominate in efforts developing anti-phishing software though there are concerns about their effectiveness. A majority of efforts are focused on the PC market leaving mobile devices lacking You can see from the table below that few user studies have been run against the current tools in the market.
ToolCommunication mediaDeviceCountermeasure typePerformance metricsUser study conducted?
Anti-phishWebsite/browser add-onPCProfile matching /usage history--
BogusBiterWebsite/browser add-onPCClient server authenticationPage load delayNo
Cantina+Website/browser add-onPCMachine learning /classificationTPR ≈ 0.92
FPR ≈ 0.040		No
QueroWebsite/browser add-onPCText mining /regular expressions--
ItrustpageWebsite/browser add-onPCProfile matching/ blacklistAccuracy=0.98Yes
SpoofGuardWebsitePCProfile matching / patternTPR≈0.972,
Accuracy≈0.67		No
PhishZooWebsitePCProfile matching/ patternAccuracy≈0.96,
FPR≈0.01		No
B-APTWebsitePCMachine learning/
classification		Page load delay
≈ 51.05ms,
TPR≈1,FP≈0.03		No
PhishTesterWebsitePCProfile matching/ patternFNR≈0.03, FPR≈0No
DOM AntiPhishWebsitePCProfile matching/ layoutFNR≈0, FPR≈0.16No
GoldPhishWebsitePCSearch enginesTPR≈0.98,FPR≈0.02No
PhishNetWebsitePCProfile matching /blacklistFNR≈0.05,
FPR≈0.03		No
PhorceFieldWebsitePCClient server authenticationBits of Security Lost per user = 0.2Yes
PassPetWebsitePCProfile matching/ usage historySecurity and UsabilityYes
PhishGuardWebsitePCClient server authentication--
PhishAriSocial networkPCMachine learning /classificationPrecision = 0.95,
Recall = 0.92		Yes
MobiFishMobileSmart PhoneProfile matching/ layoutTPR≈1No
AZ-protectWebsitePCMachine learning /classificationPrecision = 0.97,
Recall = 0.96		No
eBay AGWebsite/browser add-onPCMachine learning /classificationPrecision = 1,
Recall = 0.55		No
NetcraftWebsite/browser add-onPCProfile matching /blacklistPrecision = 0.99,
Recall =0.86		No
EarthLinkWebsite/browser add-onPCProfile matching /blacklistPrecision = 0.99,
Recall = 0.44		No
IE FilterWebsite/browser add-onPCProfile matching /blacklistPrecision = 1,
Recall = 0.75		No
FirePhishWebsite/browser add-onPCProfile matching /blacklistPrecision = 1,
Recall  = 0.77		No
SitehoundWebsite/browser add-onPCProfile matching /blacklistPrecision = 1,
Recall = 0.23		No

DNS filtering

DNS is the layer at which botnets control drones. In 2006, OpenDNS began offering a free service to prevent users from entering website spoofing sites. Essentially, OpenDNS has gathered a large database from various anti-phishing and anti-botnet organizations as well as its own data to compile a list of known website spoofing offenders. When a user attempts to access one of these bad websites, they are blocked at the DNS level. APWG statistics show that most phishing attacks use URLs, not domain names, so there would be a large amount of website spoofing that OpenDNS would be unable to track. At the time of release, OpenDNS is unable to prevent unnamed phishing exploits that sit on Yahoo, Google etc.