In cybersecurity slang, “spoofing” refers to a strategy in which a fraudster impersonates somebody else’s personality or credentials (personal or institutional) to earn a victim’s trust. The aim is to abuse that trust to meet the fraudster’s objective (access to a system, sensitive data, money, or installing malware).
What is spoofing?
Spoofing is an umbrella term rather than a specific type of attack or malware. It involves a cybercriminal attempting to pass as somebody else, such as a person or an organization that the victim would trust. The point is that, as the hacker earns that trust, he will use it to make the victim perform a series of unusual actions to help the hacker achieve a goal. So, whenever a digital criminal tries to pretend he’s somebody else, he’s spoofing.
It can happen through any communication channel available to both the victim and the scammer. It comes in many flavors, depending on the technological sophistication involved in each attempt.
Spoofing is an excellent example of “social engineering” in which the success of a criminal activity relies as much upon the ability of the criminal to psychologically manipulate the victim as on their degree of technical prowess. Kevin Mitnick is the most famous hacker whose exploits relied heavily on social engineering to succeed. These techniques play on the weakness of the human user as the most vulnerable link in the security chain because of fear, greed, or ignorance.
Types of spoofing
1. Email
Email is one of the most frequent means of spoofing attacks. In this attack, the sender includes forged email headers so the recipient will take them at face value. However, a close examination of the email would reveal inconsistencies that would give the game away. But it’s frequent for the recipient to assume that the message is legitimate. For example, if they recognize a name they know as the sender, they will probably trust it without paying attention to the rest of the information.
This type of spoofing usually requests money transfers or the credentials to enter a system. As an additional “perk,” the spoofed email sometimes includes an attachment that installs malware as soon as the recipient opens it. The optimal scenario for the hacker is to use a given recipient to infect a whole network.
The social engineering element is crucial for email spoofing because it’s about persuading human beings to do something they’re not supposed to do.
2. IP spoofing
It is a spoofing attack focused on a network, not an individual user.
In IP spoofing, the objective is to access an otherwise forbidden system. The attempt consists in sending messages with false IP addresses which mimic those that could originate within that network.
Here is how it works: the criminal takes an average data package and changes the header in it (or them) using the legitimate IP address instead. That makes the package look as originating in a trusted computer within the network.
IP spoofing attacks are often the preliminary stage of a DDoS attack. However, this attack can bring a whole network down if you don’t stop them early. So, it’s essential to identify an IP spoofing attack as early as possible.
3. Website spoofing
Also known as URL spoofing. Here, the hacker will take a fraudulent website and disguise it as a legitimate one. So he would steal all the graphics, layout, and everything it takes to make the fake webpage like the original one. Even the URL and website names will be as close as possible to the original one.
Imagine you ask where to watch movies for free and encounter a site full of ads and malware that looks similar to a legitimate streaming website you knew about. Situations like this make this technique super harmful today.
Website spoofing is also a type of phishing attack (it often starts with a phishing email). Your criminal wants to persuade you that you are in the right place and try to log in. Then, he will have your username and password for the actual website.
4. Phone spoofing (caller ID spoofing)
In this case, the attack comes from a simple phone call. Except your phone will show you a false caller ID because the attacker has faked it. It is not an idle trick. People are more likely to answer a phone call if an unknown number looks at least vaguely familiar (for instance, if it looks like a local number).
These calls come from a Voice-over Internet protocol because these tools allow them to create a phone number and caller ID that are to their specifications.
If and when the call is answered, the scammer will try to talk the victim into revealing information they can use for some nefarious purpose.
5. Text message spoofing – SMS spoofing
These are SMS or text messages with false sender information.
SMS marketing is a real thing. Existing businesses will often send their customers an easy-to-remember ID so that it’s convenient for them. And then scammers will also try this to hide their identity and to steal the credibility of the business they try to impersonate. They will send phishing links or try to have you download a malware installer.
6. ARP spoofing
ARP stands for Address Resolution Protocol. The bit in network administration software enables the network to locate and reach a specific device. The bad guy sends false ARP messages over a LAN in this attack. The messages link the bad guy’s MAC address and the IP address of a device that belongs in the network. In other words: it hijacks the network connection belonging to said hardware.
7. DNS spoofing (DNS cache poisoning)
Let’s start by remembering what DNS servers do. These are the internet’s yellow pages. Your devices can’t find any server using a domain name (like www.google.com). So if your mobile or your computer is ever going to find Google so you can run the search you want, it must use Google’s IP address (8.8.8.8). So a DNS server gives you the IP address corresponding to the domain name you are looking for.
So a DNS spoofing attack falsifies the IP address of a legitimate website. Thus, your browser gets redirected to the website the hacker wants. They achieve this goal by replacing the IP address of their website in the DNS server.
8. GPS spoofing
GPS Spoofing tricks a GPS receiver into emitting a false signal that looks ok. The objective is to fake your physical position. Thus they can hack a car’s GPS or send you to an unwanted place.
9. Facial spoofing
Facial recognition technology is the latest biometric way to unlock digital devices. However, this is a very advanced type of attack in which the hacker injects false biometric information into a device.
How does spoofing work?
Spoofing typically has two ingredients. First, there is the spoofed object, properly speaking. It can be a fake website, email, or something else (more on that later). Second, is the element of interaction and social engineering in which the criminal tries to persuade the victim to perform a specific action.
So consider this scenario: an email arrives in the victim’s inbox. It seems legitimate and supposedly comes from a trusted senior officer in his company. The email requests the victim to transfer some money and explains why this transfer is needed. Then, the spoofer is also ready to give extra persuasion if the victim doesn’t comply immediately, always keeping up his act and avoiding raising any suspicions.
On the surface, spoofing looks like a silly type of attack because it needs the victim’s collaboration to work. However, this technique functions and it can be very harmful. A good spoof will grant the hacker network access and the chance to install malware or valuable information he can use in further attacks. These attacks on corporations can even lead to a ransomware attack, which can be very costly.
Notably, it differs from location spoofing/tweaking, which many users carry out today for different purposes. For example, people spoof in Pokemon Go to change their area in the game for extra fun.
Back to bad spoofing, there are as many types of spoofing attacks as communication methods. The most common and direct involve phone calls, websites, and emails. The most complex ones involve IP addresses, DNS (Domain Name System) servers, and the ARP protocol. Let’s explore each kind.
Why are spoofing attacks such a threat
These attacks don’t attract public attention, but that doesn’t mean they are less of a privacy threat. Unfortunately, most individuals underestimate the potential of spoofing attacks.
Spoofing is dangerous because many gateways, including emails, texts, calls, websites, and IP addresses, could open doors to an attack. But, it isn’t surprising that organizations and individuals underplay the seriousness of these attacks because they sound less threatening than SQL injection, malware attacks, DDoS attacks, and ransomware.
However, despite this perception, spoofing attacks are hazardous and could harm individuals and organizations. Some reasons why they are such a threat include:
- Spoofing can be used to launch DDoS attacks, which could lead to a far worse disaster
- It can damage a person’s or organization’s reputation.
- Spoofing attacks can spread malware via email attachments or malicious links.
- Victims of spoofing attacks risk losing private information that could be used in identity theft cases.
- Another reason spoofing is a threat is the financial losses incurred after being tricked by attackers.
What are examples of IP spoofing
IP spoofing is a technique used by attackers to access a network by disguising the IP address of the attacker’s device as a trusted IP address. Here are a few examples of how IP spoofing can be used:
- Man-in-the-middle attacks: IP spoofing can intercept and modify network traffic, allowing attackers to steal sensitive information or inject malware into the traffic.
- Session hijacking: Cybercriminals use this technique to take over an active session on a network, such as a VPN or SSH connection, by injecting packets into the session and tricking the server into thinking they are coming from a legitimate user.
- Internal Network Attack: Attackers can gain unauthorized access to an internal network by disguising the attacker’s device as authorized to be on the network.
- Amplification attack: The technique can be used in amplification attacks, where the attacker takes advantage of open UDP services and amplifies the traffic to target a website or service.
GitHub attack
In 2018, GitHub was attacked by a massive distributed denial-of-service (DDoS) attack, considered the biggest attack of its kind ever recorded at that time. The attack was launched using a new amplification technique that exploited a vulnerability in the Memcached protocol. The attackers used many vulnerable Memcached servers to amplify the traffic directed towards GitHub, resulting in 1.35 Tbps of traffic sent to the site.
This caused a downtime of about 10 minutes. The attack was eventually mitigated and restored service, but it highlighted the dangers of the new amplification technique and the need for improved security for Memcached servers.
Tsutomu Shimomura
Kevin Mitnick attacked the computer systems of Tsutomu Shimomura via IP spoofing on December 25th, 1994. Using Shimomura’s X terminal computer and the server, the attacker analyzed the flow of TCP sequence numbers generated by the PCs. He then bombarded the PCs with SYN queries from fake IP addresses that were routable but dormant.
As a result, SYN queries overloaded the PC’s memory, making them unresponsive and causing a denial of service attack. This attack was significant at the time as it demonstrated how IP spoofing could be used to launch a powerful DDoS attack, and it led to increased awareness and research on the topic of IP spoofing and DDoS attacks.
How to know if you’re being spoofed
You can tell you are being monitored by paying attention to the following signs:
- The URL address is HTTP as opposed to HTTPS.
- The caller or message sender knows your private information, such as your official name and address.
- Poor grammar in text messages and emails.
- Unexpected calls or text messages from unfamiliar numbers
- You receive emails, attachments, or texts with suspicious links.
- Sender’s email address seems to be from a legitimate source but has slight variations from the original.
Furthermore, there are indicators you can check from common types of spoofing if you suspect you’ve fallen victim:
Email spoofing
There are various indicators of email spoofing, including:
- Check the sender’s email address: Sender’s email address may be incorrect. Double-check the email address if you have doubts about the sender’s legitimacy.
- Suspicious attachments: Check the emails to confirm there are malicious attachments that could infect your device due to the malware contained in them upon downloading.
- Watch out for spelling and grammar mistakes: An email containing grammar and spelling errors is likely illegitimate.
How to stop Email spoofing
- Use authentication protocols: These tools, such as DKIM and SPF, help verify the identity of senders and prevent malicious emails.
- Use anti-phishing and encryption software: Anti-spam programs can help detect and block malicious emails. Encrypting your emails can also add an extra layer of protection to emails.
- Monitor email logs regularly: This can help uncover any ill intentions senders.
- Update your email client and OS: Keep your email service providers and OS updated with the latest security patches.
- Avoid opening emails from unknown senders: Never click on emails or attachments from suspicious senders.
- Please research: Do due diligence to ascertain that the email address and content are not scams.
Website spoofing
Key indicators of website spoofing include:
- Lock symbol: Spoofed websites lack a lock symbol on the left side of the address.
- Use a password manager: Password autofill doesn’t work on spoofed websites. Therefore, if usernames and passwords don’t autofill, it’s possible the website is spoofed.
- Personal details: Be aware of websites asking for personal information like credit card details and social security numbers that the original website would not normally request.
How to stop website spoofing
Here are a few tips to stop website spoofing:
- Use browser extensions: Browser extensions can help you identify a malicious website by cross-referencing the URL address with a collection of spoofed websites.
- Be cautious of malicious links: Avoid clicking links that redirect you to spoofed websites.
- Manually type in web addresses: If you suspect a website might be spoofed, you can directly type in the URL address of the website you wish to visit instead of clicking third-party links.
- Use antivirus programs: They protect your device from phishing and malware attacks.
- Stay updated: Be informed of the latest techniques used in website spoofing and how to identify one.
Caller ID spoofing
Here are some indicators of caller ID spoofing:
- Calls from unknown numbers: If you’re receiving suspicious calls from an unknown, you’re likely being targeted for spoofing.
- Caller ID says ‘911’: If the unknown call displays 911 and not an actual phone number, chances are the attackers are disguising themselves as emergency services.
- Uninitiated responses: If you’re receiving replies on a conversation you did not initiate, you may be a potential victim.
- International number: The caller ID may show an international number despite the caller being in the same region as you.
- Incorrect phone number format: The scammer’s number could be of a different format from your country. For instance, it could be an 11-digit number, whereas your country uses a 10-digit number.
How to stop caller ID spoofing
There are several ways you can stop caller ID spoofing:
- Use call blocking and verification services: Caller ID detection apps can help identify and block calls from unknown or suspicious phone numbers. Call-verification services help you determine if a call is real or fake by cross-referencing the caller’s ID with a database of known spoofed numbers.
- Be cautious of numbers that ask for your private information: Be careful of unsolicited calls that ask for personal data or money. Legitimate organizations do not ask for personal information or money over the phone or through unsolicited messages.
- Report suspicious callers: Report fraudulent calls to your ISP, FCC, or any other appropriate authorities in your region, to help track down the source of the spoofed calls.
- Beware of spoofing: Self-educating yourself is probably the best way to prevent you from being spoofed. In addition, you will learn new tactics commonly used by spammers and how to avoid falling victim.
General measures against spoofing
A little prevention goes a long way. These simple security measures against spoofing attacks can help you stay safe if you practice them regularly.
- Don’t follow unknown links.
- Don’t open attachments from unknown sources. Unwanted links and attachments will often take you to a source of malware. If you need more clarification, don’t open them.
- Ignore unrecognized emails or phone calls. Any email or phone call that doesn’t come from your contacts could be a scammer.
- Use 2FA. Two-factor authentication is not infallible, but it’s still much better than the standard username and password combo. Use it whenever available.
- Choose good passwords. A good password is long and complicated, impossible to guess because it’s not a word or phrase you can find in any book or dictionary. Also, every password should be unique to each account. If you need a password manager to keep track of all your credentials, then use one.
- Keep your sensitive information to yourself. Your personal information does not belong on the internet, period. Unless you provide it to a trusted actor in a secure environment, never surrender any sensitive information online or through SMS messages.
- Keep your devices updated.
- Mind grammar and spelling. Spoofed websites and emails are often poorly written. Pay attention and run away if you must.
Effective strategies against spoof attacks
There is no silver bullet for spoofing. Each type of attack is very different, and besides data forgery, there is almost no common ground among all the different types of spoofing. However, there is good news. In most cases, spoofing only works if the victim cooperates in some way. That means prospective victims can stop spoofing in their tracks easily with awareness. Let’s see how you can deal with each kind.
Stopping email spoofing
At the heart of the internet’s email system is the Simple Mail Transfer Protocol (SMTP). But unfortunately, this protocol has no authentication factors. That is why there is no way to stop email spoofing completely.
However, there are still some simple things an average user can do to reduce the probability of a spoof email attack. Most importantly, it’s about having a secure email provider and minding your cybersecurity.
- Use disposable email accounts when you open new accounts on websites. It makes it harder for your email address to end up in the lists spoofers use to send bulk attacks.
- Use a strong password. It should be long, complicated, and impossible to guess. We have a guide on choosing and managing passwords. Good passwords make a hacker’s job nearly impossible.
- Look at an email’s header if you can (some services don’t make it readily available, and mobile mail apps don’t allow you to see it). If something looks wrong, then be suspicious.
- Use spam filters.
Preventing IP spoofing
- Keep your network’s traffic under close monitoring.
- Use packet filtering so that inconsistent packages do not reach their desired target.
- Use verification methods for all remote access.
- Authenticate all the IPs.
- Make sure that at least some of your network is behind a firewall.
Avoiding website spoofing
- Look at the address bar to ensure the website is secured (you will see HTTPS instead of HTTP). A fraudulent site will not be encrypted, most probably. It is not a golden thumb rule, but an excellent place to start. You need to identify other red flags too.
- Is the grammar and spelling on the website correct? Do the colors or logos look just a little bit wrong? Is the website complete? Look for a privacy policy, for instance. Spoofed websites need to imitate all the elements in the original one.
- Use a password manager. It will never provide the correct password and username for the wrong website. Besides, it will immediately inform you that you’re not on the site you expected.
Stopping spoofed calls
- Find out if your carrier can filter out spam phone calls.
- Consider using a third-party app for this.
- Don’t answer calls from unknown numbers. The more you answer, the more you’ll keep getting.
Preventing SMS and text messaging spoofing
- Never click on a hyperlink that reached you through an SMS. If it says it’s urgent, that’s even more reason to avoid it and be suspicious.
- “Password reset” SMS is a red flag. Please don’t click on them.
- Sensitive personal information doesn’t belong in SMS and text messages. And no corporation or government agency will ever ask you to send it to them through those means.
- If your SMS offers a prize or discount that looks too good to be true, trust your intuition: it is too good. It’s a scam.
Preventing ARP poisoning or spoofing
- The best defense for individuals is a VPN.
- Organizations should use encryption for their internal traffic to avoid ARP poisoning.
- Packet filters are also effective against ARP .poisoning.
Avoiding DNS cache poisoning or spoofing.
- A VPN is the best way to avoid DNS cache poisoning.
- Scan your device with your antivirus regularly.
- Flush your DNS cache frequently.
Preventing GPS spoofing
- Anti-GPS spoofing is under development, but it won’t be a commercial product for individual users.
- Disable the GPS on your mobile device.
Preventing Facial spoofing
- Include eye blink detection in your face recognition technology. Fraudsters can’t match it.
- Use interactive detection.
FAQs
Spoofing attempts to position a bad actor in an ideal man-in-the-middle position by trying to pass as a trusted actor. However, as a general rule, MiM attacks do not involve human beings. So spoofing is a version of MiM in which the goal is to fool a human being in the communication chain.
Spoofing entails disguising oneself as someone else to gain access to information via email, calls, or IP address. Phishing, on the other hand, involves tricking someone into giving sensitive information, such as login credentials, through electronic communication, such as email or social media platforms.