Website spoofing

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Website spoofing is the act of creating a website, as a hoax, with the intention of misleading readers that the website has been created by a different person or organization. Normally, the spoof website will adopt the design of the target website and sometimes has a similar URL.[1] A more sophisticated attack results in an attacker creating a "shadow copy" of the World Wide Web by having all of the victim's traffic go through the attacker's machine, causing the attacker to obtain the victim's sensitive information.[2]

Another technique is to use a 'cloaked' URL.[3] By using domain forwarding, or inserting control characters, the URL can appear to be genuine while concealing the address of the actual website.

The objective may be fraudulent, often associated with phishing or e-mail spoofing, or to criticize or make fun of the person or body whose website the spoofed site purports to represent. Because the purpose is often malicious, "spoof" (an expression whose base meaning is innocent parody) is a poor term for this activity so that more accountable organisations such as government departments and banks tend to avoid it, preferring more explicit descriptors such as "fraudulent" or "phishing".[4]

As an example of the use of this technique to parody an organisation, in November 2006 two spoof websites, and, were produced claiming that Microsoft had bought Firefox and released Microsoft Firefox 2007.[5]


A variety of techniques are used in website spoofing. Most techniques involve creating websites that are designed to look and act the same as the target website.[6] More sophisticated attacks involve javascript and web server plug-ins. First, a victim is infected through a malicious website or infected email. A web browser is displayed on the victim's machine that matches the look of the normal web browser. Then, in this infected window, all traffic is sent through a malicious server, allowing the server to intercept information, possibly containing passwords, usernames, and sensitive data. As long as the victim uses the infected browser, the malicious server intercepts all information while still preserving a normal web experience, so the victim is unable to detect the attack.[7]

How to identify[edit]

One of the main types of website spoofing occurs on websites that have anything to do with money. For example, any website one might use for banking, buying, selling or transferring money, may be subject to website spoofing. When using any website where a credit number must be entered, one of the first steps to identifying a spoofed website is making sure the website is secured with SSL/TLS. This means that it has “Secure Sockets Layer/Transport Layer Security”. SSL is used to verify the identity of the server. If the website does not have SSL, it is most likely a spoof.

The best way to prevent spoofing is to avoid using hyperlinks. For example, instead of using a link attached in an email, type the website’s address into the address bar yourself. One additional tip to avoid spoofing is to avoid using the same password for every website.[8]

How to respond to website spoofing[edit]

There exist procedures that can be undergone in response to a spoofed website, which will help mitigate risks. These procedures will, in theory, eliminate the threat of identity theft and financial fraud.

Mitigating the risk of website spoofing can done in the following ways. Firstly, educating customers on how to be aware of a spoof can be helpful. This can be done with website alerts that explain and warn about various internet-related scams.[9] If possible, certain employees should be assigned to monitor the site and make sure there are not fraudulent sites being created. If a fraudulent site is found, these employees are responsible for responding correctly.

The most common method of detecting a fraudulent site is encountering emails that return to a websites mail server, but were not sent by the website. A large increase in customer calls or contact to the website in general is also sometimes a sign that a website is being spoofed.[10]

If it has been determined that a site has been targeted for spoofing, gathering information is necessary. This information will help identify the fraudulent website, determine whether customer information has been obtained, and assist law enforcement agencies in any investigation.[9] It is also imperative to communicate promptly with the internet service provider (ISP)— responsible for hosting the fraudulent website demanding it be taken down. Contact the domain name registrars with the same intention, and demand the incorrect use of trademarks ends immediately.[10] If necessary, contact the Federal Bureau of Investigation.

Examples of website spoofing[edit]

Phil Bradley, a former British librarian, turned Internet Consultant[11] has put together a reference list for website spoofs that he knows are in fact not reliable websites. Bradley has divided his list into two categories, Scientific and Commercial.[12]

In the scientific portion of Bradley's list he includes websites that want you to donate to Dihydrogen Monoxide Research, save an endangered species known as the tree octopus , and sells an anti-effeminant drug called Hetracil .[12]

Bradley also includes websites that were intended to sell products to customers. Website spoofs include a site selling exotic animals as food, a site offering free electricity just for signing up to witness a technology demonstration, and one selling dehydrated water .[12]

Another example of an obvious fake website is the online pregnancy test.[12]

See also[edit]