In my previous tip, I offered some tricks to help you and your users identify URL spoofing scams -- but user education can only go so far. Today I'll discuss steps you can take to help lock down Windows systems.
Use browser-based features when available
As spoofing becomes more common, newer Web browsers are being programmed to identify such scams. For example, Mozilla's Firefox 1.0.1 can detect when certain tactics are being employed (i.e. site redirection that falsely claims to be SSL-protected). It then warns the user accordingly. Consider this another reason to dump Internet Explorer. Also be mindful of third-party plug-ins like CoreStreet's SpoofStick, which can also help protect you from spoofing scams.
Set up a spoof@ e-mail address where potential spoof messages can be sent and analyzed
An overwhelming number of spoof e-mails forced both eBay and PayPal to set up spoof@ addresses where people can forward the scams as attachments. Each company's security team analyzes the URLs and routing information in each e-mail to quickly identify and shut down offenders. If you create such an e-mail account, you should assign someone to monitor it continually to keep up with your volume of spoofed traffic.
Enforce reverse DNS authorization if possible
Reverse DNS authorization insures that a given piece of e-mail is indeed coming from the professed sender's domain. Unfortunately, not all ISPs consistently support reverse DNS authorization, which means that a perfectly legitimate e-mail may bounce.
Accept and send only plaintext e-mails
This fairly radical maneuver is a great way to expose spoof URLs. All hyperlinks are displayed in plaintext-only format. A bogus link will be obvious. How to enforce such a policy on inboound e-mail depends on your mail setup. For Exchange, you can use a third-party product called Aloaha.
If you have to send automated e-mails from your domain, you may also be wise to send plaintext-only e-mails and educate recipients about your decision. Make it clear that if anyone receives non-plaintext e-mail from your domain, URLs in that e-mail may be spoofed. If there's no pressing need to send HTML e-mails from your domain, it's better not to do so.
Beware of URL spoofs that take advantage of International Domain Name (IDN) system weaknesses
This is a new and dangerous variety of URL spoofing that relies on IDN system weaknesses to render bogus URLs that appear to be legitimate, even when using SSL. It creates URLs using international characters that look like conventional Roman or Latin characters. To demonstrate this problem, Secunia's Eric Johanson conducted a proof-of-concept exploit where the URL http://www.paypal.com was invisibly redirected to http://www.xn--pypal-4ve.com. This is called a homograph attack, in which an attacker or phisher spoofs the domain and URLs of businesses. There is no easy way to detect or work around such attacks at this time.
Homograph attacks will only work in browsers configured to support internationalized domain names. Internet Explorer does not support such domains by default, but Mozilla and Firefox do. To disable this feature in Mozilla-based browsers, go to about:config and set network.enableIDN to "false." However, until the IDN system can be hardened against spoofing, your best defense is to spread word about spoofs as quickly as possible to avoid being taken by them.
Serdar Yegulalp is the editor of the Windows 2000 Power Users Newsletter.
More Information from SearchWindowsSecurity.com
Also visit our sister site SearchExchange.com for additional coverage of e-mail security issues.
This was first published in March 2005