Web Spoofing: An Internet Con Game

Abstract:

This paper describes an Internet security attack that could
endanger the privacy of World Wide Web users and the integrity
of their data. The attack can be carried out on today's
systems, endangering users of the most common Web browsers,
including Netscape Navigator and Microsoft Internet Explorer.
Web spoofing allows an attacker to create a "shadow copy" of
the entire World Wide Web. Accesses to the shadow Web are
funneled through the attacker's machine, allowing the attacker
to monitor all of the victim's activities including any
passwords or account numbers the victim enters. The attacker
can also cause false or misleading data to be sent to Web
servers in the victim's name, or to the victim in the name of
any Web server. In short, the attacker observes and controls
everything the victim does on the Web. We have implemented a
demonstration version of this attack.

This technical report has been published as

Web Spoofing: An Internet Con Game. Edward W. Felten, Dirk
Balfanz, Drew Dean, and Dan S. Wallach, Proc. of
20th National Information Systems Security
Conference October 1997.