Web Attacks Targeting Users

They break attacks on users into two categories, those meant to deceive and those meant to harm.
False or misleading websites
- Detecting fakes of anything is difficult.
- And the internet is no exception.
- My favorite is This Paper
  - Studied pro, anti and neutral vaccine tweets
  - They detected bots and trolls.
    - Bots: accounts that automate content promotions.
    - Trolls: Individuals who misrepresent their identifies with the intent of promoting discord.
  - They looked at 1.8 million tweets from July 2014 until September 2017
    - Attempting to quantify the impact of known or suspected bots and trolls.
  - They found that known Russian bots were much more likely to be "stirring the pot" posting both pro and anti vax messages.
  - Other spambots are 75% more likely to post antivax messages.
  - And in general they intended to make social tensions more likely
- Defaced Web Sites
  - Anything from "Kilroy was here" to a full replacement.
  - Or a spoof to obtain usernames and passwords.
- Fake Websites
  - Particularly easy because all images must be available.
  - And can even be links to the real site.
- Fake products containing malware
- Mitigation
  - Checksums
    - This is a "hash" computation on the code.
    - It is most likely unique.
    - md5sum
    - You can do some level of system verification
      - Compute this hash on all software when it is installed.
      - Store these hashes offline
      - Regularly rehash the entire system and check to see that the hash sums are correct.
      - But this will not work on dynamic content.
      - And this is probably/possibly not practical.
  - Signatures
    - A precomputed value that must match for the software to be valid.
    - Example GPG Signature
    - The signer uses a private key to "sign" the software
    - A user employs the signer's public key to verify the signature.
    - putty provides signatures for executable code.
    - But public/private keys are easy to obtain.
    - And checking only verifies a valid certificate.
    - IE The bad guys can have a certificate, and have you authenticate against this certificate.
Malicious Content
- Substitute content on a real web cite
  - Link to something that looks official
  - They give the example of adobe.
- Web Bug
  - Also called web beacon
  - Have a page fetch a single pixel image to display
    - This gives another site (ie advetisor) knowledge that the page was loaded.
  - They can be used to track the user as they move from site to site.
  - They are used in conjunction with cookies.
  - They can also be used in email (report when image is opened)
  - These have apparently gone way beyond just an image
  - The World Wide Web consortium has an API
  - I don't think that this belongs in this section, but...
- Clickjacking
  - This is a technique where the web page programmer causes a confirmation message to be hidden by something else.
  - An authentication service pops up a "Do you want to " dialog box in a known location.
  - The attacker covers this with something else that
    - Requests a click.
    - But does not receive the click.
  - The click gets passed on to the item that is being hidden.
  - This is not tracable
  - And the user has agreed, or authenticated.
  - This was made possible by the "frame" construct in earlier versions of html.
- Drive-By Download
  - You are tricked into clicking on a link which installs software.
    - Trick you into thinking you have an error on a page, click here to reload.
    - Hack a valid web page and add a link.
Protecting against malicious Web Pages.
- Use an OS that requires administrative privileges to install software.
  - This will keep thinks somewhat isolated to the user's account.
- Make sure you use modern practices on your web pages.
- User vigilance and training.