Visual Spoofing And The Art of The Sting

Here’s a potential scam that raises the bar — and alarum bells — for everyone. It’s already got a name: Visual Spoofing.

It works like this (I think): Instead of ne’er-do-wells concealing addresses to make you think you’re at a legit website (say your bank, or PayPal) rather than at their sleazy password-grabbing site — what’s called phishing — why not just fake everything? And I mean everything?

The guy who developed this idea is called Don Park, and he’s posted a demo on his website to show what phishers could do. Basically a window pops up which looks like a PayPal site — much as a normal scam might — but which looks more authentic, because the website address looks solid, because there’s a lock in the bottom right hand corner to suggest it’s secure, and because all the main bits of it are actually fake. They are images of locks, images of website addresses (or at least, the box that contains the text is). It’s like a mirage, or a Potemkin Village, or a website. Nothing of what you see is real.

Don puts it like this: ”Most of the readers who saw the demo thought of it as a hole in the browser code.  Yes, there is a hole in the browser, one that allows scripts to hide and replace key UI components such as the toolbar used to display URL of the page and the statusbar used to display the golden lock.  But there also a hole in our brain…”

He goes on: “You see, the computer screen you are seeing this post with is actually showing just a rectangular array of pixels. There are no such thing as windows or buttons.  Instead, there are pixel patterns we call windows or buttons.  It is us, the users, who associate the idea of windows and buttons to those patterns of pixels.”

It’s a scary proposition. It’s like the fake betting shop in The Sting, or any number of movies (The Recruit, Mission Impossible) where the mark is convinced that what he is seeing, the place he is in, is real. What Don has shown us is that because we look for familiar things on a webpage — an URL bar, a status bar at the bottom, forward and back buttons — we feel comfortable when we see them. Only they’re not real. As Daniel McNamara of Code Fish put it to me: “Nothing is being exploited other than the human mind.”

It’s only a matter of time before real bad people, as opposed to the good guys, start to play around with this. Daniel again: Now that Microsoft has plugged one of the main holes that phishers used — hiding website addresses at the end of strings of gobbledigook — “this may be the new evolution stage of phishers”. 

13. February 2004 by jeremy
Categories: Scams | Tags: , , , , , , , , , | 2 comments

Comments (2)

  1. Watched this happen on a different level of Visual Spoofing. Complete new URL freenokia.com or something along those lines. All links went to actual Nokia site and they offered free phone… with a credit card for shipping and tax of course. The only thing that tipped me off was the too good to be true nature and the layout was slightly off. Called Nokia USA and they had no such promotion and wanted nothing to do with the fraudulent site… until I told them the disclaimer listed Nokia USA and their actual urls and contact info. They took down the info right away. I still didn’t get a free phone.

  2. Watched this happen on a different level of Visual Spoofing. Complete new URL freenokia.com or something along those lines. All links went to actual Nokia site and they offered free phone… with a credit card for shipping and tax of course. The only thing that tipped me off was the too good to be true nature and the layout was slightly off. Called Nokia USA and they had no such promotion and wanted nothing to do with the fraudulent site… until I told them the disclaimer listed Nokia USA and their actual urls and contact info. They took down the info right away. I still didn’t get a free phone.