We have all
heard of con-games. The prefix 'con' is
from the word 'convince'. In order to
con someone, one needs to create an environment in which the victim is
convinced to the extent that he or she would ignore the adverse potentials of
the situation. It happens in the
physical world all the time. Think about
it next time when you go to the ATM machine.
In the physical world in a shop or a department store through
communication and interaction we have developed a sense of recognition and we
simply judge whether or not to trust.
The situation is much more complicated in the cyberspace.
The term
'Web spoofing' is given to online con-game.
Using Internet technology the adversary could create a misleading
environment in which you quite trustingly forward to the con(wo)man sensitive
information such as login code, password, and credit card information.
It begins
with the adversary compromising the merchant website. This could be done using a technique called
Domain Name Service spoofing or the bogus site could manage to have a search
engine listing to provide a link, seemingly to the merchant site. User clicks the link believing that he is
going to the merchant's site. One
scenario is that traffic could actually be passed on to the merchant site by
the bogus server and response could go back to the user from the merchant site
via the bogus site. Another scenario is
that traffic stops at the bogus site and response come back to the user from
the adversary. In either case privacy of
the user is compromised and sensitive information could be passed on by the
user that may be maliciously exploited by the adversary.