The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.
What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following types are growingly impactful for the enterprise these days.
This is the most common type of spoofing attack where the victim is targeted using email communication. The sender looks like a trusted source with an email address that closely resembles the original address. Spoofed emails can be used to distribute anything from adware, ransomware, Trojans, cryptojackers, or malware. While most users have become discerning enough in their email usage to immediately detect a false email address, spoofed emails now increasingly make use of multiple deceptive strategies. These may include closely mimicking a known email domain or address that is only altered slightly. The emails may include trusted and familiar branding such as logos, iconography etc. More targeted spoofed emails can include familiar messaging or address that is addressed to a single individual or a small group.
This is also a highly prevalent form of spoofing attack usually used in tandem with spoofed emails containing links to the site. Website spoofing involves designing a fake website that closely resembles a trusted or even well-known website. Most spoofed websites will contain a login page wherein victims are prompted to enter their credentials or other sensitive information. Spoofing websites can also be used to distribute malware. Website spoofing can have grave consequences for the data privacy and integrity of any business. IT Support Vermont has extensive resources on how to combat website spoofing.
Address Resolution Protocol (ARP) is a set of rules that correlate IP addresses to each physical device. ARP spoofing involves mimicking this piece of data to bypass security protocols including antivirus software. ARP Spoofing enables malicious actors to link their computers to a legitimate user’s IP. If the user happens to be an employee of an organization, the malicious actors can gain entry into the network if they get hold of his/ her login credentials. The security mechanisms of the network will be unable to tell the difference as the connection appears legitimate.
Malicious actors can use vulnerabilities in hardware drivers to modify, or spoof, the MAC (Media Access Control) address. This enables the hacker to make his device appear as though it belongs to the target network bypassing all access restrictions. Essentially, MAC Spoofing enables malicious actors to pose as trusted users to perpetrate frauds like business email compromise (BEC), data compromise/ theft, or distribution of malware into the hitherto secure environment.
Used extensively for distributed denial of service attacks (DDoS), IP Spoofing can be a pernicious attack that prevents the removal of malicious traffic while hiding the attacker’s location. Since a device’s IP address is commonly used in security systems for the verification of a user’s location, malicious actors can leverage IP Spoofing to conceal their identity and avoid detection even by sophisticated security systems.
DNS Cache Poisoning (DNS Spoofing)
The domain name system (DNS) is designed to allow for an additional layer of security whenever visitors access your website. The DNS check assures users that the URL on display actually belongs to the website they want to visit. By introducing corrupt DNS information into a platform’s cache, malicious actors can hijack the name/URL of a website. DNS spoofing is commonly used in conjunction with other types of cyber attack.
Caller ID Spoofing
Ever received a phone call that you thought was from a trusted source but turned out to be Spam? Caller ID Spoofing involves a similar tactic wherein the phone call appears to be from a trusted source. Once you answer the call, the attacker can use social engineering tactics, such as posing to be from the customer support team of your bank notifying you of a crisis. The agenda behind Caller ID Spoofing attacks generally involves eliciting sensitive information such as the user’s financial information like account information, credentials, Social Security numbers, etc.
Text Message Spoofing
Similar to Caller ID Spoofing, Text Message Spoofing involves the attackers sending an SMS through somebody else’s phone number or sender ID. Essentially, the malicious actor tries to hide their identity behind an alphanumeric sender ID. The sender appears to be from a trusted/ legitimate organization or firm. Text Message Spoofing is often referred to as mobile spoofing.
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.
GPS Spoofing enables hackers to appear as if they are at a particular location when they are really somewhere else. This kind of attack is widely used by hackers to conceal their point of origin while they carry out more severe forms of cybercrime. This kind of attack and also be used to manipulate vehicles that operate through GPS input to send commuters to the wrong destinations.
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.
How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:
- Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
- Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
- Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
- Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
- Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
- Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.
Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:
- Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
- Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
- Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
- Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
- Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box.