Spoofstick

[Frank Bohan]

<quote>
What is SpoofStick?
SpoofStick is a simple browser extension that helps users detect spoofed
(fake) websites. A spoofed website is typically made to look like a well
known, branded site (like ebay.com or citibank.com) with a slightly
different or confusing URL. The attacker then tries to trick people into
going to the spoofed site by sending out fake email messages or posting
links in public places - hoping that some percentage of users won't notice
the incorrect URL and give away important information. This practice is
sometimes known as "phishing".
</quote>

Two versions are available, for Internet Explorer and Firefox:
http://www.corestreet.com/spoofstick/internet_explorer.html
http://www.corestreet.com/spoofstick/firefox.html

===

Frank Bohan
¶ The principal singer of nineteenth century opera was called pre-Madonna.

 

[Vrodok the Troll]

On Sat, 29 May 2004 15:53:57 +0100, in alt.comp.freeware, the personage of
"Frank Bohan" <[email protected]>, courtesy of Message-id

<quote>
What is SpoofStick?
SpoofStick is a simple browser extension that helps users detect spoofed
(fake) websites. A spoofed website is typically made to look like a well
known, branded site (like ebay.com or citibank.com) with a slightly
different or confusing URL. The attacker then tries to trick people into
going to the spoofed site by sending out fake email messages or posting
links in public places - hoping that some percentage of users won't notice
the incorrect URL and give away important information. This practice is
sometimes known as "phishing".
</quote>

Two versions are available, for Internet Explorer and Firefox:
http://www.corestreet.com/spoofstick/internet_explorer.html
http://www.corestreet.com/spoofstick/firefox.html

Thank you

 

[Antoine]

<quote>
What is SpoofStick?
SpoofStick is a simple browser extension that helps users detect
spoofed (fake) websites. A spoofed website is typically made to
look like a well known, branded site (like ebay.com or
citibank.com) with a slightly different or confusing URL. The
attacker then tries to trick people into going to the spoofed site
by sending out fake email messages or posting links in public
places - hoping that some percentage of users won't notice the
incorrect URL and give away important information. This practice
is sometimes known as "phishing".
</quote>

Thanks Frank. Do you know how SpoofStick works to determine whether
a site is a phishing site ? IMHO, either the phising sites are stored in
the application itself (the latter needing than to be regularly
updated) or the application phones home to get this list of phishing sites.

 

[Art Iculos Libres]

Thanks Frank. Do you know how SpoofStick works to determine whether
a site is a phishing site ? IMHO, either the phising sites are stored in
the application itself (the latter needing than to be regularly
updated) or the application phones home to get this list of phishing sites.

It's not that complicated as far as I can tell. It simply looks at the URL
to determine whether a spoof attempt is being made. For example, if you
want to visit www.legitsite.com, Spoofstick would display "legitsite" as
the domain, giving you a warm & fuzzy that at least the link appears to
take you where intended. However, if the URL was
[email protected], Spoofstick would inform you that you were
actually being taken to domain 000.0.0.0. This is something that can easily
be done by looking at the URL yourself, but SpoofStick's suggestion is that
some of these URLs can get long and complex, thus making it difficult to
determine visually if it's legit or not.

Another reason I think this thing is just a waste of computing power is
that IE was updated with a security patch a while back that disallows this
type of URL syntax, thus preventing a URL spoof of this type unless you
specifically modify a registry key to allow it to happen:

http://support.microsoft.com/?kbid=834489


Am I missing something?

 

[Antoine]

It's not that complicated as far as I can tell. It simply looks at
the URL to determine whether a spoof attempt is being made. For
example, if you want to visit www.legitsite.com, Spoofstick would
display "legitsite" as the domain, giving you a warm & fuzzy that
at least the link appears to take you where intended. However, if
the URL was [email protected], Spoofstick would inform
you that you were actually being taken to domain 000.0.0.0. This
is something that can easily be done by looking at the URL
yourself, but SpoofStick's suggestion is that some of these URLs
can get long and complex, thus making it difficult to determine
visually if it's legit or not.

You are right but aren't there any phishing sites not using any
trick in the url but rather copying the existing bank domain name.
Something like :

legitimitate bank site : http://www.westernbank.com
phishing bank site : http://www.westernbankunion.com

Another reason I think this thing is just a waste of computing
power is that IE was updated with a security patch a while back
that disallows this type of URL syntax, thus preventing a URL
spoof of this type unless you specifically modify a registry key
to allow it to happen:

http://support.microsoft.com/?kbid=834489

I agree.

 

[Art Iculos Libres]

You are right but aren't there any phishing sites not using any
trick in the url but rather copying the existing bank domain name.
Something like :

legitimitate bank site : http://www.westernbank.com
phishing bank site : http://www.westernbankunion.com

<snip>

There are many, many ways to "spoof" and "phish" (the way I see it, people
generally spoof to phish, don't they?), but SpoofStick only works on the
particular URL syntax I described above. In your phishing example, I
believe SpoofStick would just report that you are visiting domain
"westernbankunion", and if you didn't know that wasn't the real site, as
opposed to domain "westernbank", you would remain as oblivious to the
blunder as you would if SpoofStick were not running.

Again, someone may correct me if I'm misunderstanding SpoofStick...but it
really seems useless from what I can gather from the website description.

BTW, check this example of more sophisticated spoofing / phishing:
http://www.antiphishing.org/news/03-31-04_Alert-FakeAddressBar.html

 

[Aaron]

Another reason I think this thing is just a waste of computing power
is that IE was updated with a security patch a while back that
disallows this type of URL syntax, thus preventing a URL spoof of this
type unless you specifically modify a registry key to allow it to
happen:

http://support.microsoft.com/?kbid=834489


Am I missing something?

People using Firefox for one.



Aaron (my email is not munged!)