Phishing is the entry point to many spoofing website scams. Click on a dodgy link to be taken to the spoof website.
Many security gurus say that the way to avoid spoofing is to use only websites with the https:// prefix to take advantage of the heightened security of such sites. That is not as secure as it used to be.
Why https is not the solution
Https:// was intended to apply a level of security to website interaction. It uses strong TLS encryption to do so. The most common implementation is the OpenSSL implementation. The objective is to prevent hackers and eavesdroppers from seeing or decrypting information submitted to a website that has the secure padlock and the https:// prefix. It also hides the location of pages inside the website that you visit from your ISP.
However, there are several issues that have surfaced recently around the use of https://. The first is the implementation of the OpenSSL encryption itself, and the second, the use of non-Roman characters in domain names.
The https technology, as with all other technologies is vulnerable to developer error. The Heartbleed vulnerability surfaced only in 2014, despite being around for at least two years. With Heartbleed, Version 1 of the Open SSL implementation contained a bug that made user-ids and passwords vulnerable to theft.
It related to one implementation of OpenSSL, and only one version of that implementation, but still caused universal panic. A very senior British politician recommended that everyone change their passwords immediately.
Man in the Middle attacks allow hackers to compromise site certificates and to collect information on it’s way to and from supposedly secure websites in its unencrypted form. Unfortunately, some browsers, Opera Mini and Blackberry act like a Man in the Middle to enable them to compress traffic for faster browsing. They apparently don’t log information, so that’s all right then.
There are continuing attempt to increase the effectiveness of attacks on SSL encryption, and Man in the Middle exploits.
The https:// technology is not as secure as most people think.
Back in the day, everything on the Internet was in the Roman character set. As the reach of the Internet spread to other parts of the world, other character sets began to appear, particularly the Cyrillic and several Oriental character sets. Domain names began to include non-Roman characters.
The caused difficulties for the major browsers which used English and the Roman character set. . To get around the issue, Unicode, the body charged with maintaining online text standards developed Punycode, which renders characters from the multi-alphabet standard tables of character codes maintained by Unicode.
The law of unintended consequences now came into play. Domain names could now include all sorts of characters, for example emojis and characters that looked like Roman alphabetic characters.
This gives the spoofer the opportunity to use letter and character manipulation to create and use fake websites.
Security researcher Xudong Zheng, was one of the first to highlight the character set issue in relation to https spoofing:
“From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common ASCII characters… It is possible to register domains such as ‘xn--pple-43d.com’, which is equivalent to ‘?pple.com’. It may not be obvious at first glance, but ‘?pple.com’ uses the Cyrillic ‘?’ (U+0430) rather than the ASCII “a” (U+0041)”
In short, clicking on the apple.com link in a phishing email takes you to the spoof website xn--pple-43d.com.
How to spot a spoofing website
There are several techniques to see if you are being spoofed.
In most browsers, holding your cursor over a link brings up the URL to which you will be taken. If it looks iffy, then don’t go there.
Most password managers work by recognising a URL as one that requires authentication and pulls the information from its database. If it doesn’t recognise the URL, no authentication information is presented.
Rather than clicking on a link, type it in yourself. You avoid the Punycode problem.
Https spoofing is a growing problem and will be with us until a better security protocol is implemented. Until then, be careful out there.