Identifying "Spoofed" Websites

By Vince Barnes

Are you certain that the site you are looking at
is what it appears to be?  Is it coming
from the company it claims to?

The Crime

You click a link on a page or in an email you have received.  And why not?  The email is from the bank, it has their familiar logo and all their usual wording in it.  The clicked link takes you to a page with the usual account login fields for you to put in you username and password.  The URL up in the address bar is the usual URL for your on-line banking and so you're pretty comfortable.  You type in your username and password but for some reason it doesn't take.  You try again and you're logged in in the usual fashion and see all your account details.  Everything is as it should be.  Or is it?

Unfortunately, it is very possible that you have just become a victim of a crime involving a "spoofed" website address and the contents of all your bank accounts are now at risk.  How does it work, and what can you do to protect yourself?  Let's take a look.

The criminal starts by obtaining a legitimate email from the bank in question.  This could have come from an actual account they or one of their associates opened, or it may have come from the email program in a lost or stolen notebook or home computer.  They also copy the login page from the bank.  Using phony ID they set up a site on a hosting company somewhere and put up the copy of the login page, but with some code written into it to capture the entered username and password and transfer the visitor to the legitimate login page.

Next, they send out the emails with some pretext that requires you to login and check something on your account.  The emails have spoofed sender and return addresses so that they look like they came from the bank.  The link in the email uses another spoofing technique to display the legitimate website address in the address bar and status bar of your browser while actually displaying the fake page.  You click it, it takes you to the fake page, but everything looks normal to you.  You type in your username and password; the fake page captures your identification and sends you over to the legitimate login page.  Depending on the way the bank's site (or auction, or web payment or any other financially useful page) is constructed, it might also be possible for the fake page to pass your identification over to it so that it logs you right in without you having to type it a second time.

Recognizing the Crime in Progress

Using the web for bill payments and on-line banking is such a convenience.  It's also pretty safe if you can recognize these spoofs and avoid them.  So how can you tell if the site you've landed on is the site you think it should be?  First, any site dealing with financial matters, whether banking, buying, selling, transferring money or using money or credit or debit cards in any way at all, should be secured with SSL/TLS.  This is "Secure Sockets Layer/Transport Layer Security".   If the site doesn't use SSL/TLS (commonly just called SSL), don't use the site.  SSL encrypts data being sent back and forth between your browser and the server hosting the site, but it can also be used to verify the identity of the server.

When SSL/TLS is in use, a padlock is shown in the status bar (in Netscape, the padlock is always there, but is open on unsecured sites and closed on secure sites - other browsers may use different symbols.)   If you don't see the status bar, in Internet Explorer, click "View/Status Bar", in Netscape click "View/Show-Hide/Status Bar", to enable it.  Double click the padlock icon and the certificate details are shown.  The "Issued To" name should be the name of the site.  If it is not, you may well be looking at a spoofed site, and shouldn't provide any of your information.

If the site is not an SSL secured site, perhaps because it doesn't actually use financial information but collects or uses some other personal information, you should consider carefully whether or not you want to provide any of the requested information.  These sites can also be spoofed, but you won't have the SSL certificate to help you identify the spoof.  Instead, this JavaScript code, copied and pasted into the address bar, will provide you with the site and server identification:

javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof.");


So much better than cure!  The best way to prevent yourself from becoming a victim of a spoofed site is to never use a hyperlink to get to a financial page unless you are CERTAIN that it is a legitimate link.  That means, never use a link in any email to take you to a financial page.  Instead, type the address into the address bar yourself.  This is a minor inconvenience compared to having your bank accounts emptied.

If you started by typing in a known address to a site and you are now following links through the site to its secured financial pages, you can be pretty sure they are legitimate links.  If you've been taken off to another site somehow, and are now being returned to the financial pages, I'd be more cautious if I were you -- time to check that SSL certificate!

If you typed in the address to a site to visit it and then saved it in your "favorites" list (bookmarks), you can trust it (unless you believe somebody with malicious intent might have had access to your favorites list!)  The best way, however, is to memorize the address and type it in yourself.

One more thing, I know it's convenient to use the same password for all the secured sites you use, but it's just not a good idea.  Think up a way to create a password that varies from site to site, perhaps using something about the site as a part of the password.  When creating passwords, think first about how easy it would be for someone else to figure it out.  Your child's name, your dog's name, your address and pone numbers, birthdays, etc. are all very bad ideas.  Devise something else that's personal enough to remember, but not easy to guess.  Complicated is good!  Mixtures of numbers, letters and special characters are good!  Words are bad!

And lastly, don't write passwords down, remember them.  (DON"T WRITE THEM DOWN!)

  • Web Development Newsletter Signup

    Invalid email
    You have successfuly registered to our newsletter.
Thanks for your registration, follow us on our social networks to keep up-to-date