Cyber Attack Guide: Spoofing
Those of us who remember the days when the internet wasn’t quite as ubiquitous, know just how much more difficult talking to people on the other side of the globe was.
We’ve been through a communication revolution, which, unfortunately, has also brought about an unwanted side effect – hordes of scammers trying to defraud us out of our money, break our computers, or cause other damage.
In today’s cybersecurity guide, we’re going to talk about one of their favorite weapons – spoofing attacks.
Table of Contents:
The State of Cybersecurity
Unlike other threats like ransomware and DDoS, spoofing attacks don’t attract quite as many headlines. However, this doesn’t mean they’re not dangerous. They have played an essential role in pulling off some of the world’s worst cyber attacks, and this a lot more common than you think.
In fact, a 2017 study conducted by researchers at the Center of Applied Internet Data Analysis (CAIDA) determined that, on average, there were about 30,000 spoofing attacks per day. This, mind you, concerns only IP spoofing and doesn’t include the numerous other types of attacks that fall under this category.
Spoofing attacks are extremely popular with cybercriminals, and when you find out how they work, you’ll see why.
What is Spoofing?
Spoofing in cyber security is a rather broad term that describes the act of impersonating a person or a computer system on the internet. Hackers sometimes use it to cover their tracks and avoid detection. More often than not, they want to trick you into thinking you’re communicating and interacting with someone you know.
By impersonating a trusted party, cybercriminals set the scene for further social engineering tricks. Spoofing plays an integral part in attacks aiming to deploy malware on your network, direct you to a deceptive phishing page, or steal your data.
Unfortunately, spoofing attacks are often relatively easy to pull off, so it’s imperative to know how they work and what you can do to protect yourself.
Types of Spoofing Attacks
The number of spoofing vectors is more or less equal to the number of methods users and computer systems have for determining who they’re communicating with. Because of this, there are quite a few types of spoofing attacks. Here are some of the most popular ones.
Email spoofing is at the bottom of pretty much every spam and phishing campaign worth its salt, often helping hackers with malware distribution as well.
It’s brutally effective because, for many people, the only factor determining the legitimacy of an email is the contents of the Sender field. In fact, they often don’t pay that much attention even to that one. Having that in mind, attackers often register email addresses that are visually similar to the one they’re trying to spoof to easily trick the victim.
If the target is likely to be more vigilant, attackers can spoof the sender’s address and name in their entirety. If they decide to do that, the only way to determine whether the message is coming from a malicious source would be to take a closer look into the email headers.
Unfortunately, this is still beyond most users’ technical skills and knowledge.
Website spoofing is central to pretty much any phishing attack. By creating a malicious website or login page that looks identical to a legitimate service, attackers fool their targets into divulging their sensitive information themselves. It’s a much more efficient way of collecting data than trying to scrape it with the help of malware.
The affordable domain names and the wide availability of compromised websites, coupled with some hosts’ negligent attitude toward phishing campaigns, make website spoofing much more common than it should be.
Pulling it off is made even easier with phishing kits available on underground forums and marketplaces. Using them, attackers get ready-made web pages that perfectly replicate the look and feel of popular online services. In addition to this, the kits contain the backend mechanisms that collect the sensitive data and sends it the attackers’ way.
If you’re careful enough, you should have no problems spotting website spoofing. When combined with DNS spoofing, however, staying safe could be a lot trickier. DNS spoofing is the act of introducing incorrect DNS data to the Domain Name System’s resolver’s cache.
The injected data can redirect legitimate traffic to an attacker-controlled IP hosting a malicious web page. The number of affected users depends on the size of the compromised DNS server. Usually, DNS spoofing attacks rely on the exploitation of security vulnerabilities found within the DNS service.
IP address spoofing
Attackers can easily spoof the source IP of any communication session they initiate by forging the information packets they send.
IP spoofing can be used for gaining access to networks that are restricted to specific IPs only. Hackers often use it during denial of service attacks as well.
On the one hand, the spoofed IP helps them cover their tracks better. On the other – it enables them to fool the attacked system into thinking the traffic is coming from a legitimate source, thus avoiding early detection.
ARP stands for Address Resolution Protocol and represents the communication protocol that associates the link layer with the internet layer on a typical LAN. In layman’s terms, it’s the protocol that links a MAC address with an IP address.
ARP spoofing (sometimes referred to as MAC address spoofing) is the act of associating a foreign MAC address to the LAN’s IP. By doing this, hackers can reroute all the legitimate traffic coming toward the targeted IP to their own device.
ARP spoofing is associated with many types of targeted cyberattacks, including man-in-the-middle, session hijacking, and various forms of denial of service.
Caller ID spoofing
You’d be surprised to find out how easy it is to trick Caller ID, the service that tells you who’s calling or sending a text. There are many readily available apps that advertise this functionality, and the thousands of phone scams that rely on spoofed phone numbers clearly show this activity is far from uncommon.
Sometimes, the attackers fake only the local area code, while in other cases, they spoof the whole number and try to impersonate legitimate service providers or organizations. Once the victim takes the bait, the scammers can use a pretty much endless range of social engineering techniques to advance the attack.
Phone number spoofing is arguably even more effective when used with text messages. Many service providers still use SMS for authorizing and carrying out quite a few tasks involving personal or sensitive information. Hence why text messages can be an excellent attack vector.
GPS spoofing involves a radio transmitter located close to the target emitting signals that interfere with the victim’s legitimate GPS transmission. It can target pretty much any device that relies on the US-operated Global Positioning System.
Luckily, the attack isn’t particularly easy to pull off, and reserved for the type of organizations usually depicted in James Bond movies.
Facial recognition technology is now a part of our everyday lives, and it should be no surprise that hackers are turning their attention to it. Research papers and experiments reveal that the systems embedded in consumer devices aren’t that impenetrable, though it must be said that such attacks are still pretty rare.
Security is at a much higher level in the corporate environment and in organizations that deal with a lot of sensitive information. Unfortunately, this has never stopped motivated hackers from trying to break in.
At the other end of the scale, you have extension spoofing. It takes advantage of a simple default setting on Windows – the most targeted desktop operating system.
Out of the box, Windows Explorer doesn’t display file extensions. For example, Windows displays the file “Cat Photo.jpg” as an image icon with the name “Cat Photo” under it. Similarly, Malicious Program.exe is presented as an icon and the name “Malicious Program” under it.
As a result, hackers can easily rename Malicious Program.exe to Cat Photo.exe, pick the correct icon to make the file look like a harmless image, and trick the user into double-clicking on it. This simple and brutally effective trick sits at the heart of quite a few high-profile cyber attacks.
What To Do in Case of Spoofing?
Spoofing attacks come in many shapes and forms, presenting different challenges to users. There is no single step-by-step guide that will tell you how to prevent spoofing attacks, as in most cases you simply have to be vigilant.
For example, a red light should start flashing immediately if an email or a service provider representative starts asking for too much personal information over the phone.
Avoid clicking links in emails and texts, especially if they alert you about potential problems with your account or personal information. Hackers often try to create a sense of urgency and immediate threat that if you don’t follow the attached link, something bad will happen.
In reality, they just want to make you act without thinking.
If you land on a login page or another form requesting your personal information, always check the address bar. Usually, the URL is the easiest way of determining whether you’re at the right place.
The lack of an SSL certificate is a very bad sign, meaning the connection to the server is not encrypted, and you must not, under any circumstances, enter any personal information on the page.
On the whole, if you want to detect spoofing attacks, you need to be a bit more suspicious of everything you see. It’s essential to act quickly if you feel you’ve been hit by a spoofing attack.
If you’ve given your password away somewhere already – change it immediately. If you’ve used it on any other websites – make sure it’s inactive there as well. And if you feel your credit card may have fallen into the hackers’ hands – contact your bank immediately.
Depending on the specific case, you might also want to have a look at the available identity theft protection services.
The Role of Your Hosting Provider
There are many different ways of impersonating a trusted user, a service provider, or a computer system. However, pretty much any attack, regardless of the spoofing vector, needs an online infrastructure of some description.
It’s not unheard of for criminals to set up brand new hosting accounts with the sole purpose of launching cyber attacks. Often, they have the budget for this, but even if they don’t – they just use stolen credit cards to get unsuspecting victims to pay for their hosting needs.
Ideally, using a compromised hosting account instead of creating a brand new one works best for cybercriminals. It’s a more cost-effective method that leaves fewer traces behind.
In any case, it’s mainly up to hosting providers to ensure their servers are not used for malicious activities.
First, any good host must have strict Fair Use rules. Just as importantly, however, it needs to ensure everyone sticks to these rules.
Many hosting providers adopt mechanisms that pinpoint suspicious accounts for review during the signup process. For example, if the names of the credit card holder and the account owner don’t match – the account will be flagged for manual check by the host’s agents. If the red flags are too many – the order doesn’t go through at all.
With the account already up and running, it’s primarily up to the user to keep it secured. Nevertheless, the host must provide all the facilities to do that, and, especially on managed plans.
Even with all security precautions in place, a hacker will sooner or later find a way to slip through the cracks. When they do, it’s important that your host knows how to react.
Monitoring systems must be in place to raise the alarm in case of a sharp spike in the number of outgoing emails, for example. A security system watching over people’s accounts for other suspicious behavior can also help hosts stop an attack in its tracks.
Some people spend a considerable amount of time hunting down and reporting phishing pages. The sooner the host reacts to such reports – the fewer people will end up with their data stolen.
Security must be a priority for all hosting providers.
On the one hand, their services form the backbone of the entire World Wide Web, and it’s their responsibility to make our online world a safer place to be. On the other, it’s in their interest to maintain a reputation for zero tolerance toward criminal activity on their servers.
The online world has completely altered the way we exchange information. For better or worse, a part of this transformation means that face-to-face communication is now much more limited. This gives opportunist attackers the chance to impersonate people and services we trust and scam us out of our money and data.
Spoofing attacks are more common than ever.
Luckily, as you’re now aware of the threat, spotting it and preventing the attackers from achieving their goal isn’t that difficult. In most cases, it all boils down to a little bit of education and vigilance.
How dangerous are spoofing attacks?
Spoofing can be an extremely powerful social engineering weapon. It’s rarely used on its own and often plays a crucial role in the attack’s success. Most commonly, attacks that employ spoofing aim to either steal money and data from victims or deploy malware.
What’s the difference between spoofing and phishing?
Spoofing is the act of impersonating a trusted source or service provider. It’s an essential element of any phishing campaign as it convinces users to willingly share their sensitive information while thinking they’re communicating with a completely legitimate source.
What causes spoofing?
There are many spoofing vectors, and exploiting them requires a range of different techniques.
In most cases, the attackers either abuse a security loophole in the protocols we use for communicating, or they take advantage of the fact that users don’t know the threat very well and would not spot the warning signs.