3. Spoofing, Cyber Security attacks

three people hacking a computer system, Spoofing, Cyber Security attacks

Spoofing, a technique used to gain unauthorized access to computers, whereby the intruder sends messages to a computer with an IP address indicating that the message is coming from a trusted host.

Spoofing is a technique through which a cybercriminal disguises themselves as a known or trusted source. Spoofing can take many forms, such as spoofed emails, IP spoofing, DNS Spoofing, GPS spoofing, website spoofing, and spoofed calls.

In so doing, the adversary is able to engage with the target and access their systems or devices with the ultimate goal of stealing information, extorting money or installing malware or other harmful software on the device.

It is fairly common for attackers to spoof multiple points of contact, such as an email address and website, in order to initiate the communication and carry out the actual attack. For example, cybercriminals may spoof an email address in order to engage a potential victim and then use a spoofed website to capture the user’s log in credentials or other information.

In most cases, spoofing attacks also leverage phishing and social engineering techniques to spur activity or gather additional information. These methods often exploit human emotions such as excitement, curiosity, empathy or fear to act quickly or rashly. In so doing, cybercriminals trick their victims into giving up personal information, clicking malicious links, downloading infected files or paying a ransom.

To engage in IP spoofing, a hacker must first use a variety of techniques to find an IP address of a trusted host and then modify the packet headers so that it appears that the packets are coming from that host. A closely interconnected and often confused term with phishing and pharming is spoofing.

A “spoofer”, in Internet terms, is defined generally as the “cracker” who alters, or “forges”, an e-mail address, pretending to originate a message from a different source address than that which he or she truly has. There are many ways an attacker may do this, and there are many types of attacks.

The attacker may do this to gain access to a secured site that would accept the “hijacked” address as one of few permissible addresses, or more maliciously, the reason may be to hide the source of any type of attack.

Email spoofing is often an attempt to trick the user into making a damaging statement or releasing sensitive information (such as passwords).

Spoofing Attacks Techniques

three people hacking a computer system, Spoofing, Cyber Security attacks
Spoofing, Cyber Security attacks nursing-tv.com

Spoofing attacks can be divided into different categories, some of which are elaborated below:

Man-in-the-middle (MitM) attack

A man-in-the-middle (MITM) attack is a type of cyber attack in which a third party infiltrates a conversation between a network user and a web application. The goal of this attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party in order to solicit additional information or spur action, such as changing login credentials, completing a transaction or initiating a transfer of funds. This type of attack often includes either email spoofing, website spoofing or both in order to trigger activity and carry out the transfer of data.

Man-in-the-middle attack and internet protocol spoofing An example from cryptography is the man-in-the-middle attack, in which an attacker spoofs Alice into believing they’re Bob, and spoofs Bob into believing they’re Alice, thus gaining access to all messages in both directions without the trouble of any.

Email Spoofing

One of the most common types of spoofing attacks is email spoofing. This occurs when an attacker purports to be a known, familiar or plausible contact by either altering the “From” field to match a trusted contact or mimicking the name and email address of a known contact. For example, a spoofed email address may use a zero (0) in place of the letter O, or substitute an uppercase I for a lower-case L. This is called a homograph attack or visual spoofing.

In most email spoofing attacks, the message contains links to malicious websites or infected attachments. The attacker may also use social engineering techniques to convince the recipient to divulge personal data or other sensitive information.

Caller ID Spoofing

Similar to email spoofing, caller ID spoofing disguises an adversary’s actual phone number with one that is familiar. If the recipient answers the phone, attackers typically pose as a customer support agent to gather personal information, such as a social security number, date of birth, banking details or even passwords. Some advanced telephone spoofing attacks can reroute the call to an international or long-distance carrier, causing the victim to rack up extensive bills.

Website or Domain Spoofing

Domain spoofing is when an attacker creates a website that mimics an existing site – often by slightly changing domain names. The goal of these attacks is to have users attempt to log into their account, at which point the attacker can record their account credentials or other personal information. The attackers can then use the credentials on a trusted website or sell the information. Website spoof attacks are usually triggered by an email spoof—meaning that the attacker first reaches out using a fictitious email account and drives traffic to the spoofed website.

IP Spoofing

Attackers can alter their IP address in order to hide their real identity or impersonate another user. This technique is commonly used by advanced adversaries in a DoS attack. Using this technique, attackers alter their IP address in order to flood the victim’s site with traffic, limiting access for authentic users. Learn more about DoS attacks.

Address Resolution Protocol (ARP) Spoofing

Address Resolution Protocol (ARP) is the process of matching IP addresses to Media Access Control (MAC) addresses in order to transmit data. In an ARP spoofing attack, the adversary links their MAC to a legitimate network IP address so the attacker can receive data meant for the owner of that IP address. ARP spoofing is commonly used to steal or modify data. However, it can also be used in DoS and man-in-the-middle (MitM) attacks or in session hijacking.

GPS spoofing

GPS spoofing is the act of altering a device’s GPS so that it registers in a location different from the user’s physical location. While this technique is mostly used by players of online games, such as Pokémon GO, it has far more sinister implications. For example, GPS spoofing can be used to redirect navigation systems in vehicles of all kinds, including passenger cars, commercial airplanes, naval vessels, public busses and everything in between.

Facial spoofing

One emerging spoofing technique is related to facial recognition. Since many people now use such technology to unlock their phones or apps, cybercriminals are exploring how to exploit potential vulnerabilities. For example, researchers have demonstrated that it is possible to use 3D facial models built from pictures available on social media to unlock the user’s device via face ID. Further implications for this technology include simulating embarrassing or even criminal video footage of high-profile individuals, such as celebrities, politicians and business leaders in order to extort money.

How to protect against Spoofing?

For everyday users, the best way to protect against spoofing is by being vigilant for the signs of such an attack. As noted above, these include:

  • Never click unsolicited links or download unexpected attachments.
  • Always log into your account through a new browser tab or official app — not a link from an email or text.
  • Only access URLs that begin with HTTPS.
  • Never share personal information, such as identification numbers, account numbers or passwords, via phone or email.
  • When contacted by a customer service representative via phone or email, perform a Google search to determine if the number or address is associated with any scams.
  • Use a password manager, which will automatically enter a saved password into a recognized site (but not a spoofed site).
  • Use a spam filter to prevent a majority of spoofed emails from reaching your inbox.
  • Invest in cybersecurity software, which will detect many threats and even stop them from infecting your device.
  • Enable two-way authentication whenever possible, which makes it far more difficult for attackers to exploit.

How to detect Spoofing

In many cases, spoofing attacks are relatively simple to detect and prevent through diligence and awareness. We offer the following list of questions that users can reference to identify a spoofing attack:

Is this request solicited? 

Is the business or organization responding to a service request or are they asking me to complete a task unprompted? For example, users can often reset a password by requesting a link be sent to the email address on file. However, if a user receives such a link and request unprompted, it may be a spoofing attempt.

Does the message request sensitive information? 

Reputable businesses and government agencies will never ask people to share sensitive information like passwords or social security numbers in full by email or phone. They also will not send password requests via a third-party or through an external domain. If in doubt, the user should contact the company or agency directly using the contact information posted on the organization’s official website.

Is the organization using a different domain? 

When receiving a message that contains links, hover over the hyperlink text to preview where the link leads. Banks, doctors, schools or other legitimate service providers will never attempt to route activity or communication through a URL that does not match their current domain. You can also check that the “From” or “Sent” field matches the official domain. If the domain differs from the stated Organization’s domain, the user should contact the company or agency’s official customer service channels at once.

Does the website or link point to an HTTPS address? 

Secure sites almost always use HTTPS, the encrypted version of HTTP, when transferring data. Be sure the URL begins with HTTPS and features a lock icon in the address bar before accessing the site. Never click a link that does not contain these two security features.

Does the message contain an unsolicited attachment? 

Legitimate companies will direct users to their official website to access and download files. Never download an unsolicited attachment even from a trusted or familiar source, such as a family member or colleague.

Is the message personalized and professional?

Reputable service providers will interact with customers in a personalized and professional way. Very few will begin emails or other messages with generic greetings such as, “Dear customer,” or “To whom it may concern.”

Does the correspondence contain obvious grammar and spelling errors? 

One of the easiest ways to spot a spoofing attempt is through poor grammar, spelling, design or branding. While some may see this as the sign of a foreign actor with a basic command of English, in fact it is a deliberate technique used by hackers to weed out savvy users and entrap easier targets.

During these unprecedented times of COVID-19, phishing continues to be the preferred access route for threat actors. In April 2020, Crowdstrike intelligence identified new phishing campaigns impersonating The World Health Organization (WHO). The phishing campaigns used a social engineering technique to conduct the attack. Threat actors also used spoof email addresses to deliver the “AgentTesla” information stealer using an exploit document called “Virgo.”