T 5.87 Web spoofing

Within the framework of web spoofing, an attacker forges an existing website, i.e. he designs one of his own websites in such a way that it looks like the website of a known organisation. The already existing website that was reproduced is not changed in so doing, but continues to be available in its genuine form. With the help of different tricks, the attacker then tries to lure users to the website he put on the web.

To do so, he may select its web address in such a way that a large number of users assume they are connected to a certain organisation simply because of the address they entered. For example, he may register a site where the host name is identical to the one of the original website, but where the top level domain was changed. However, he may also try to use an address containing frequent typing errors ("Typosquatting") and lure the users to the forged site this way.

Another possibility is to distribute manipulated links. Different character sets and similarly looking letters can be used in order to create deceptively authentic links. For example, figures looking like letters at the first glance or similar letters may be used. Along with the hardly discernible difference between "I" (capital "i") and "l" (lower case "L"), similarly looking letters may also be used. This, for example, includes the Latin and the Cyrillic writing style of the letter "a", which looks similar but is coded differently.

Users may also be provided with addresses not identical to those addresses the link would lead to. For example, the URL of the trustworthy site may be displayed although the link leads to a forged site by using a HTML link. Another option is to prefix the user name and the password to the site name in the URL. Users not familiar with this writing style assume that they are directed to the website specified as user name/password, although the actually used host name is contained significantly more towards the end of the URL.

Examples:

• The XY bank uses the URL www.xy-bank.de for its website. An attacker creates a website under the URLs www.xybank.de or www.xy-bank.com that is similar to the one of the XY bank at first glance. Additionally, the attacker ensures that these addresses can be found by XY customers using search engines.
  
  Users calling this web site will assume that they are communicating with the web server of their bank. For this reason, they are willing to enter their account numbers, PINs, or other access codes.
• The website whitehouse.com experienced an eventful history. However, this website never was the internet presence of the U.S. White House , as many users initially assumed, but contained changing commercial or pornographic content.
• The two URLs www.BSI.bund.de and www.BSl.bund.de seem to be identical at the first glance at least. Only upon closer inspection it becomes obvious that only the first URL leads to the internet presence of the German Federal Office for Information Security. In the second link, the capital "I" was replaced by the number 1.