The attack is implemented using JavaScript and Web server plug-ins, and works in two parts. First, the attacker causes a browser window to be created on the victim's machine, with some of the normal status and menu information replaced by identical-looking components supplied by the attacker. Then, the attacker causes all Web pages destined for the victim's machine to be routed through the attacker's server. On the attacker's server, the pages are rewritten in such a way that their appearance does not change at all, but any actions taken by the victim (such as clicking on a link) would be logged by the attacker. In addition, any attempt by the victim to load a new page would cause the newly-loaded page to be routed through the attacker's server, so the attack would continue on the new page.

The attack is initiated when the victim visits a malicious Web page, or receives a malicious email message (if the victim uses an HTML-enabled email reader).

We have implemented a demonstration of the Web Spoofing attack and have shown the demo live at the Internet World conference and on MSNBC television. Although the implementation is not trivial, it is well within the means of a single dedicated programmer.

Current browsers do not prevent Web Spoofing, and there seems to be little movement in the direction of addressing this problem. We believe that there can be no secure electronic commerce on the Web until the Web Spoofing vulnerability has been addressed.

Many false claims have been made about Web Spoofing, and some people who make public statements about Web Spoofing do not understand the full scope of the problem. If you want to understand Web Spoofing, please read our paper on the topic. We worked hard to make it accessible to non-experts.

For more information, see our publications on this topic.