Stop URL spoofing attacks in their tracks

In my previous tip, I offered some tricks to help you and your users identify URL spoofing scams -- but user education can only go so far. Today I'll discuss steps you can take to help lock down Windows systems.

Use browser-based features when available
As spoofing becomes more common, newer Web browsers are being programmed to identify such scams. For example, Mozilla's Firefox 1.0.1 can detect when certain tactics are being employed (i.e. site redirection that falsely claims to be SSL-protected). It then warns the user accordingly. Consider this another reason to dump Internet Explorer. Also be mindful of third-party plug-ins like CoreStreet's SpoofStick, which can also help protect you from spoofing scams.

Set up a spoof@ e-mail address where potential spoof messages can be sent and analyzed
An overwhelming number of spoof e-mails forced both eBay and PayPal to set up spoof@ addresses where people can forward the scams as attachments. Each company's security team analyzes the URLs and routing information in each e-mail to quickly identify and shut down offenders. If you create such an e-mail account, you should assign someone to monitor it continually to keep up with your volume of spoofed traffic.

Enforce reverse DNS authorization if possible
Reverse DNS authorization insures that a given piece of e-mail is indeed coming from the professed sender's domain. Unfortunately, not all ISPs consistently support reverse DNS authorization, which means that a perfectly legitimate e-mail may bounce.

Accept and send only plaintext e-mails
This fairly ra

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Microsoft Internet Explorer management Four Internet Explorer 8 group policy security settings Safe enterprise Web browsing: Five tips in five minutes Top client security tips of 2006 Phishing filter: Step 2 General security configuration: Step 1 Windows Vista and IE7: Step 5 ActiveX opt-ins, information bar and cross-domain protection: Step 4 Protection against international domain names, URL handling: Step 3 IE8 brings focus to cross-browser compatibility and Web standards Cross-site Scripting 102: How to defend against cross-site scripting

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary ActiveX  (SearchEnterpriseDesktop.com) ActiveX control  (SearchEnterpriseDesktop.com) Internet Explorer  (SearchEnterpriseDesktop.com) Internet Explorer Administration Kit  (SearchEnterpriseDesktop.com) tabbed browsing  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

dical maneuver is a great way to expose spoof URLs. All hyperlinks are displayed in plaintext-only format. A bogus link will be obvious. How to enforce such a policy on inboound e-mail depends on your mail setup. For Exchange, you can use a third-party product called Aloaha.

If you have to send automated e-mails from your domain, you may also be wise to send plaintext-only e-mails and educate recipients about your decision. Make it clear that if anyone receives non-plaintext e-mail from your domain, URLs in that e-mail may be spoofed. If there's no pressing need to send HTML e-mails from your domain, it's better not to do so.

Beware of URL spoofs that take advantage of International Domain Name (IDN) system weaknesses
This is a new and dangerous variety of URL spoofing that relies on IDN system weaknesses to render bogus URLs that appear to be legitimate, even when using SSL. It creates URLs using international characters that look like conventional Roman or Latin characters. To demonstrate this problem, Secunia's Eric Johanson conducted a proof-of-concept exploit where the URL http://www.paypal.com was invisibly redirected to http://www.xn--pypal-4ve.com. This is called a homograph attack, in which an attacker or phisher spoofs the domain and URLs of businesses. There is no easy way to detect or work around such attacks at this time.

Homograph attacks will only work in browsers configured to support internationalized domain names. Internet Explorer does not support such domains by default, but Mozilla and Firefox do. To disable this feature in Mozilla-based browsers, go to about:config and set network.enableIDN to "false." However, until the IDN system can be hardened against spoofing, your best defense is to spread word about spoofs as quickly as possible to avoid being taken by them.

Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.

More Information from SearchWindowsSecurity.com

Also visit our sister site SearchExchange.com for additional coverage of e-mail security issues.

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.