If you're familiar with phishing scams and how to protect yourself from them, you definitely know the scam-protection rule “Always check for bogus web or email addresses.” But a recently discovered proof-of-concept exploit in Apple's Safari browsers would make it easy for scammers to spoof legitimate addresses, thus increasing the odds that even scam-savvy Safari users might fall for phishing scams.
In modern online scam terms, the words “phishing” and “spoofing” basically refer to different types of impersonation. In phishing scams, the scammer tries impersonating some legitimate business or institution in hope of tricking you into either installing malware on your device, or giving out whatever money or information you might give to the actual company or organization being impersonated. But usually, such phishing scams are easy to detect, by simply looking at any email or web addresses.
Consider this phishing-bait email I got last December, from a scammer impersonating FedEx and claiming to have a package for me (which I'd receive just as soon as I paid 'em a hefty “security fee” in the form of an untraceable, non-refundable wire transfer — yet another warning sign of a phishing scam). But that email obviously wasn't sent from an @fedex address; instead, the scammer had a FedEx@webmail free-email account. It was a bad, blatant attempt at phishing for money, but there wasn't any spoofing involved.
Spoofing vs. phishing
Spoofing describes another form of impersonation (which is usually far more difficult than phishing, from a would-be scammer's perspective). With spoofing, the scammer manages to actually hide his real email or web address, and make it look like a legitimate one. If that cheesy FedEx phishing scammer from last Christmas had also been a spoofer, I actually would've seen an @fedex address in the email's “From” line (even though it had not been sent from any actual FedEx corporate email account).
Phishing and spoofing make a potent combination. Suppose, for example, you get a phishing message allegedly from your bank, claiming (falsely) that there's a problem with your account, so you need to click on this link here to visit the bank's website, login and fix the problem.
Hopefully you wouldn't do this, because you also know the anti-phishing rule “Never click on a link or download an attachment in an unsolicited email.” But suppose you don't know this, so you click on that link anyway. You might be taken to a website which, at first glance, looks an awful lot like your bank's real online-banking login page, where you'll be asked to type in your account number, password, and whatever else an identity thief needs to access your account and empty it out.
Usually, even if you're credulous enough to click on that phishing link, there's still a chance you'll notice a problem before you type your login credentials into that scammer's website: look at the web address in your browser. In many phishing scams, you'll see that the actual web address is not Yourbank.com, but something completely different.
Unless the phisher also knows how to spoof the address, in which case that scammy phishing website you visited really will say Yourbank.com in its browser bar, even though your bank has nothing to do with it. And if that's the case, then the chances of a would-be victim falling for the spoofer's phishing scam get a lot higher.
Which brings us to that recently discovered Safari-browser exploit. ArsTechnica reported yesterday that white-hat researchers discovered a weakness in Safari that would make it very easy for hackers to spoof the addresses of websites visited in Safari. To demonstrate, a website whose content actually came from deusen.co.uk displayed the address of the British tabloid dailymail.co.uk in its browser bar. In case anyone missed that, there's a bold-print headline across the top of the fake newspaper page: Address bar says dailymail.co.uk – this is NOT dailymail.co.uk .
This particular exploit is not perfect; ArsTechnica noted that:
On the iPad Mini Ars tested, the address bar periodically refreshed the address as the page appeared to reload. The behavior might tip off more savvy users that something is amiss. Still, many users would surely fail to spot the unusual refresh. What's more, the refresh behavior wasn't observed on a MacBook Pro Ars also tested.
Thus far the Safari bug is only a proof-of-concept exploit: discovered by security researchers who demonstrated the vulnerability, but so far as anybody knows, this weakness has not been exploited by actual scammers who spoofed websites in order to defraud Safari users. Then again, until yesterday it's not likely any would-be scammers knew about this exploit, either.