Received: from localhost (localhost)
	by mta3.snet.net (8.12.3/8.12.3/SNET-smtp-1.2/D-1.1.1.1/O-1.1.1.1) id hA90DMUA005034;
	Sat, 8 Nov 2003 19:13:22 -0500 (EST)
Date: Sat, 8 Nov 2003 19:13:22 -0500 (EST)
Reply-To: @
From: sg@unhca.com
Message-Id: <200311090013.hA90DMUA005034@mta3.snet.net>
To: 
MIME-Version: 1.0
Content-Type: multipart/report; report-type=delivery-status;
	boundary="hA90DMUA005034.1068336802/mta3.snet.net"
Content-Transfer-Encoding: 8bit
Subject: [@]Returned mail: see transcript for details
Auto-Submitted: auto-generated (failure)

This is a MIME-encapsulated message

--hA90DMUA005034.1068336802/mta3.snet.net

The original message was received at Sat, 8 Nov 2003 19:13:12 -0500 (EST)
from 66.159.174.13.adsl.snet.net [66.159.174.13]

   ----- The following addresses had permanent fatal errors -----

    (reason: 550 A:No such user as cj625@all.net here)

   ----- Transcript of session follows -----
... while talking to ssl.all.net.:
>>> RCPT To:
<<< 550 A:No such user as cj625@all.net here
550 5.1.1 ... User unknown
451 4.4.1 reply: read error from ssl.all.net.

--hA90DMUA005034.1068336802/mta3.snet.net
Content-Type: message/delivery-status

Reporting-MTA: dns; mta3.snet.net
Received-From-MTA: DNS; 66.159.174.13.adsl.snet.net
Arrival-Date: Sat, 8 Nov 2003 19:13:12 -0500 (EST)

Final-Recipient: RFC822; cj625@all.net
Action: failed
Status: 5.1.1
Remote-MTA: DNS; ssl.all.net
Diagnostic-Code: SMTP; 550 A:No such user as cj625@all.net here
Last-Attempt-Date: Sat, 8 Nov 2003 19:13:20 -0500 (EST)

--hA90DMUA005034.1068336802/mta3.snet.net
Content-Type: message/rfc822
Content-Transfer-Encoding: 8bit

Return-Path: 
Received: from steve (66.159.174.13.adsl.snet.net [66.159.174.13])
	by mta3.snet.net (8.12.3/8.12.3/SNET-smtp-1.2/D-1.1.1.1/O-1.1.1.1) with SMTP id hA90D2UB004719;
	Sat, 8 Nov 2003 19:13:12 -0500 (EST)
Message-ID: <000d01c3a656$40ee8e80$3201a8c0@steve>
Reply-To: @
From: sg@unhca.com
To: 
Cc: "Class Papers" 
Subject: [@]FINAL MINI PAPER 2 - Spoofing
Date: Sat, 8 Nov 2003 19:12:58 -0500
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
MIME-Version: 1.0

Abstract

This paper will talk about the many ways that spoofing is used in today's world using computer technology. It will discuss the types of spoofing that exist and how they are deployed. It will include recent cases of spoofing attacks and the financial losses resulting from these attacks. Also discussed will be what all of us can do to try and protect ourselves from being spoofed and what further work is being done to try and reduce the effects of this major type of attack.

Introduction

For many years, criminals have tried to hide their true identity by creating aliases for themselves or using disguises to alter their physical appearances so no one would be able to recognize them. Whether it was to rob a bank or cashing a stolen check, these criminals have always tried to evade law enforcement by trying to conceal their identities. Computer spoofing or "phishing" is the same idea but instead of using physical items such as fake beards and wigs, today's computer spoofers use tools such as computers to try and accomplish many criminal activities.

Besides spoofing computers, criminals have also tried spoof people in other ways. There have been many cases where criminals have set up fake ATM machines in places such as shopping malls. The unsuspecting victim would try to use the ATM machine only to have their card either eaten by the machine or malfunction or spit back out. But at that point the criminal would already have enough information such as a PIN number and other data that would allow them to use the victim's financial information for their personal gain. Spoofing is becoming very widespread in today's world and is quickly becoming one of the most common attack methods. Millions of dollars are lost each year to these kinds of attacks and has grown considerably in recent years.

What is Spoofing

Spoofing is creating false or misleading information in order to fool a person or system into granting access or information not normally available. [1] IP Spoofing is a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host. To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. [2] There are many types of IP spoofing attacks. These attacks include but are not limited to Man-in-the-middle attacks, SYN Flood, DNS Spoof, Ping Storm, Ping of Death, smurf, Syndrop, TearDrop2, and Fragment overlap. The list goes on and on. It seems that new ways to spoof people are being created on almost a daily basis. The following types of spoofing attacks are more commonly being used.

Types of Spoofing

E-Mail Spoofing

E-mail spoofing is the forgery of an e-mail header so that the message appears to have originated from someone or somewhere other than the actual source [3]. Spammers use spoofing in an attempt to get the intended target to open their spam. Spoofing can be done legally but only if you spoof yourself. If you try to spoof anyone else besides yourself, then it becomes illegal. Legitimate uses can include someone trying to report criminal activity but who fears retaliation or reporting things such as child abuse. The person doing the spoofing is trying to cover up the source address so the recipient does not now the true identity of the person sending the e-mail.

E-mail spoofing is possible because Simple Mail Transfer Protocol (SMTP), the main protocol used in sending e-mail, does not include an authentication mechanism. [3] The people who send spoofed e-mail are inserting commands in the e-mail headers that will change the message information. They can send a message and make it seem that it can be from anyone, anywhere and virtually saying anything that they want it to say. All the while making it seems to come from the victims e-mail address. While most e-mail spoofing is generally harmless some can be very dangerous such as someone pretending to be in a position of authority asking for private information such as financial information, personal credit card numbers or passwords. E-mail spoofing is one of the more common types of spoofing attacks used today.

DNS Spoofing

DNS Spoofing is when a DNS server accepts and uses incorrect information from a host that has no authority giving that information. [4] DNS spoofing is a form of malicious cache poisoning where incorrect data is placed in the cache of the name servers. This can cause Internet users to be redirected to the wrong Internet sites or e-mails being sent to e-mails servers that are not authorized to receive them. These types of attacks can go unnoticed for a long time. It's possible for example that a company may never know they are being spoofed until a major competitor of theirs enters the market with a product that is similar to theirs. Only then, would that said company look into the possibilities of how that came about and only then discover that they have been victim to an ongoing attack. This is a potential major security leak for credit card information, trade secrets, and other highly sensitive information. [5]According to Recent surveys, 25-30% of servers on the Internet are spoofable.

Link Alteration

Another type of attack is link alteration. Link altering occurs when a hacker alters the return address of a web page sent to the intended victim that will direct the victim to a hacker's website instead of a real legitimate website. This is accomplished by adding the fake address before the real address in any of the pages that go back to the real site. Instead of having a real site such as http://www.computerworld.com the hacker would add his own website in front of that site to make it something like http://fakesitename/http://www.computerworld.com. The fake site will be recognized as a valid address.

The hacker will only have to do this once in order to get a link into the communication between the server and the browser. At that point, they can reprocess all of the communications including SSL connections. The typical user will more than likely not notice the change because they are constantly seeing URL's, site connections and server certificate details without really knowing if this data is correct.

Many websites are trying to defend against this by adding digital signatures to their web pages, which are checked as they are leaving the web server to make sure that none of the information has been changed. A digital signature is an electronic signature that can be used to authenticate the identity of the sender of a message or the signer of a document, and possibly to ensure that the original content of the message or document that has been sent is unchanged. [6] A major disadvantage of this is if the pages are cached on the web serves then they can be easily altered. This is because caches do not have any checks and therefore cannot determine if any of the pages are valid.

Who is at risk?

Basically anyone with a computer is at risk of being a potential victim. Many of today's spoofing scams seem very realistic to customers of companies such as banks and financial services and also for companies like EBay and Paypal. E-mail scams are the most common of these spoofing attacks. The e-mails are remarkably successful, say Internet scam artists who've discussed their techniques anonymously with MSNBC.com. [7] One of the scam artists stated that as many as ten percent of the people who are spoofed, fall for the scam and give up their valuable information easily. These scam artists use imitation art work and websites that look like the real deal to unknowing victims.

An MSNBC anchor that had recently moved to a new area had made the mistake of giving up her social security number to a webpage that looked like it was from America Online. Once she gave her number to the site she knew that she made a mistake. She was so involved in filling out new forms due to her move that she just thought that it was "one more" form that had to be filled out. Many of the people who are scammed are Internet savvy and are people who regularly check all of their financial accounts. But the fake e-mails were convincing enough that they fell for them. Many other people do not know enough about the Internet to try and protect themselves from the many dangers that are out there. It's these people that are scammed the easiest and these are the people that the scam artists are hoping to find. And the more advanced these scams become the harder it is for people to determine what's real and what's not.

Recent Attacks

There are many cases involving spoofing but here are a few of the more recent scams.

In October of 2003, an Ohio women pleaded guilty to a federal Conspiracy charge after she had unknowing spammed an FBI computer crime agent. The suspect had conspired with some of her colleagues to send mass e-mails to AOL users purporting to be from AOL's security department. According to court records, the messages claimed that AOL's last attempt to bill the recipient's credit card had failed, and included a link to an "AOL Billing Center" webpage, where an online form demanded the user's name, address, credit card number, expiration date, three digit CCV number and credit card limit. [8]

It is unknown how many credit card numbers were obtained and that will help determine the severity of her punishment. Under federal guidelines, the number of fraudulent charges that were made with the stolen credit cards will determine the suspect's sentence. These guidelines also state that each of these stolen cards must be valued for at least $500.

In this second case, Customers of Citibank were targeted in a recent scam where the suspect's were to trying to obtain the financial information of Citibank's credit card holders.

The scam involved e-mails sent out to unsuspecting customers that included a link to a fake Citibank website. Once redirected to the bogus site, customers were greeted by a pop-up box, which asked them for their personal financial information including their PIN number, and their expiration dates. A web hosting company in Moscow, Russia was hosting the spoofed web site. Citibank customers were targeted a few month's earlier with the same type of scam. Citibank has since taken proper measures and have posted warnings on their websites to help protect their customers.

This last case is a scam involving a well-known company Paypal Inc. Paypal is used by many to people to make and receive online payments for Ebay purchases or sales.

In July of 2003, a fake website was discovered that tried to trick Paypal customers into giving up their personal account and billing information. Paypal customers were directed to the site, www.paypalbillingnetwork.net, by an e-mail message that appears to come from the Mountain View, California Company. The message claims that due to a recent system flush, "the customer billing and personal information is "temporarily unavailable" [9] it told Customers that they needed to verify their information by visiting this site or they would risk having their account cancelled. The website was almost identical to Paypal's real website. The same layout and graphics were used and many of the links actually pointed back to the real paypal website. Paypal has been always been targeted due to the fact that it is an online payment clearinghouse with a very large user base.

Spoofing on the rise

According to the FBI, web "spoofing" scams are becoming a growing problem. The assistant director of the FBI's Cyber division states that "Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet." [10] The Internet Fraud Complaint Center (IFCC), which is run by the FBI, has seen a steady rise in complaints from Internet users who are receiving unsolicited e-mail's trying to direct them to phony "Customer Service" websites. These scams are causing a rise in credit card fraud, Identity theft and other Internet frauds. The FBI has specialized cyber squads and cyber crime task forces that are focusing on the spoofing problem. The FBI is also using Legat Attache offices overseas to run investigations that cross international lines. Most recently the FBI has received complaints that trace back to people in Russia, Romania and England. In addition to all of this, the FBI is also working actively with big name companies such as Ebay and Paypal to try and identify common traits of these scams as well as creating proactive measures to respond immediately to these attacks.

The FBI offers the following tips for Internet Users:

. If you encounter an unsolicited e-mail that asks you, either directly, or through a web site, for personal financial or identity information, such as Social Security number, passwords, or other identifiers, exercise extreme caution. . If you need to update your information online, use the normal process you've used before, or open a new browser window and type in the website address of the legitimate company's account maintenance page. . If a website address is unfamiliar, it's probably not real. Only use the address that you have used before, or start at your normal homepage. . Always report fraudulent or suspicious e-mail to your ISP. Reporting instances of spoof web sites will help get these bogus web sites shut down before they can do any more harm. . Most companies require you to log in to a secure site. Look for the lock at the bottom of your browser and "https" in front of the website address. . Take note of the header address on the web site. Most legitimate sites will have a relatively short Internet address that usually depicts the business name followed by ".com," or possibly ".org." Spoof sites are more likely to have an excessively long strong of characters in the header, with the legitimate business name somewhere in the string, or possibly not at all. . If you have any doubts about an e-mail or website, contact the legitimate company directly. Make a copy of the questionable web site's URL address, send it to the legitimate business and ask if the request is legitimate. . If you've been victimized by a spoofed e-mail or web site, you should contact your local police or sheriff's department, and file a complaint with the FBI's Internet Fraud Complaint Center at www.IFCCFBI.gov. [10]

If someone feels that they have been a victim of a spoofing or phishing scam then they should take action right away. They should make a point to cancel all of their credit cards and checking accounts if they have mistakenly given away these numbers.

Financial Losses

In the last five years, 27.3 million Americans have been victims of Identity theft. Last year saw the number to be 9.9 million people. Identity theft cost businesses and financial institutions nearly $48 billion and consumer victims reported $5 billion in out-of-pocket expenses last year according to the FTC (Federal Trade Commission). [11] On the average, the loss for consumers was about $500 and for businesses that number rose to $4800. But not all of the information that was obtained by spoofing was for financial gain. Last year, nearly 1.5 million people scammed had reported that their information was used to obtain things such as tax forms or government documents. One of the most common ways that this information was used was when the thief had used the victim's name and information when they were caught committing a crime.

What can be done?

Banks commonly advise their users to ignore the scam e-mails. [12] But is that really the best answer to give people? Many people are fooled by the sophisticated e-mail scams that look like the real thing. Most people would not even know what to look for such as a fake URL or fake web pages. Many companies are developing more advanced hardware and software to try and help the average internet user combat against these attacks. An example of this would be from a company called Linksys. Linksys makes many broadband and wireless networks products. One of their more recent products is their Etherfast Cable/DSL Firewall router. This router protects PCs from Ping of Death, SYN Flood, Land Attacks, IP Spoofing, and Other DoS (Denial of Service) Attacks. [13] At around $100, this product is a fairly inexpensive way to help protect your home PC. For the average Internet user it is quite a bargain.

Another company, Tumbleweed communications believes that the answer to this type of fraud is the use of digitally signed e-mail to protect against phishing hacker attacks and spam e-mail. [14] The advantage of digital signatures is that they are easily transported and cannot be imitated by someone else. They can also be automatically time stamped. A digital signature can be used with any type of message and this way, the receiver of the message can be sure of who sent the message and that the message arrive unaltered.

In the case of DNS Spoofing, it is necessary for companies to have security built right into their DNS systems. To minimize the risk of a spoofing attack, every organization or individual responsible for a domain should first check which type of name server they are using and consult with its developer whether it is secure against DNS spoofing or not. [4]There is also a piece of software that can be used, DNS Expert (v1.3), that IT administrators can use to check the vulnerability of all types of DNS servers to see if they are vulnerable to DNS Spoofing attacks or other DNS problems.

Further Work, Summary and Conclusions

Spoofing affects millions of people and the financial losses are staggering. It is growing into one of the biggest scams on the Internet. Many major law enforcement communities have developed cyber crime squads to help deal with this problem as well as other Internet threats. As technology advances so does the sophistication of these threats. The average Internet user of today 's world is unsuspecting of these attacks. With millions of people online, only a small percentage has any kind of real protection against these scam artists. In order for these spoofing attacks to be less successful, consumers need to become better educated about the Internet and the potential dangers that await them and also to be weary of anybody, no matter who it is, looking for their critical information such as their social security number and personal financial information.

Companies will also need to develop better technology to fight against the never ending threat of these attacks and try and stay one step ahead of the attackers. Companies must also make every effort to discover these attacks as soon as possible and get warning out to all of their customers to help minimize the damage that these attacks can cause. Only though better technology and education do we stand a chance against the constant onslaught of spoofing.

References: