Website Spoofing: Using Setoolkit

Summary

Website Spoffing is when a legitimate website is replicated to trick user into thinking it’s the real one. When they then enter for example their username and password or other sensitive information, the hacker obtains this information and can use it in their favor.

URL Spoofing

A website’s URL gets altered, typically in a way that the user doesn’t immediately notice. There are several common methods for this:

Homograph Attack or IDN (Internationalized Domain Name)

For this method visually similar characters from different scripts (e.g. Latin or Cyrillic) are used so that the fake URL looks similar to a real URL.

Example:

Real Website with latin a: https://www.amazon.at

Fake Website with cyrillic a: https://www.аmazon.at

Typosquatting

This method involves using common misspellings of legitimate websites which aren´t easily recognisable.

Example:

Real Website with 2 o´s: https://www.google.com

Real Website with 3 o´s: https://www.gooogle.com

Another way is to change the domain endings to a wrong version.

Usage

For replicating a website and creating a fake one you can use the tool SET (The Social Engineering Toolkit). "It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering." [1]

Step 1

Install

sudo apt install set

Step 2

Start setools:

sudo setoolkit

This is how the interface looks like:

Step 3

Select the right options - in this case we select the appropriate option for website spoofing and for obtaining credential data.

Step 4

Set the parameters: ip address and the url (for example to the login website you want to spoof) Set the ip address to use the same network your computer also is in, so you can access the website outside of the virtual machine. (But the proposed ip address would also work - for this just press enter)

Step 5

Accessing the fake website. When entering the ip address in your browser the fake website will appear.

Step 6

Now you will be able to see the data that got entered in the fake website.

Another example where this works would be Spotify:

References

• https://en.wikipedia.org/wiki/Website_spoofing
• https://bolster.ai/glossary/website-spoofing
• https://medium.com/@goodycyb/demonstration-of-social-engineering-attack-using-setoolkit-c6874a264df4
• https://www.kaspersky.com/resource-center/definitions/what-is-typosquatting
• https://github.com/trustedsec/social-engineer-toolkit
• https://github.com/trustedsec/social-engineer-toolkit/raw/master/readme/User_Manual.pdf
• https://trustedsec.com/resources/tools/the-social-engineer-toolkit-set
• https://www.kali.org/tools/set/