Spoofing is the process of disguising a communication to make it appear as if the communication came from a trusted source. The target of a spoofing attack can be a person or computer system. In a person-to-person case, the most common spoofing attacks include email phishing and caller ID attacks. For computer systems, spoofing attacks target elements such as Address Resolution Protocol (ARP) services, domain name system (DNS) servers, and internet protocol (IP) addresses.
The success of a spoofing attack generally depends on its ability to exploit a trusted relationship between the target and some other person or organization. Personalizing the message for a specific target is often an effective method of convincing the target that it comes from a trusted source. The victim's lack of knowledge about the ease of faking internet communications is often a significant factor in spoofing attacks.
The consequences of a successful spoofing attack include the compromise of sensitive information or credentials, which the attacker can use in a future attack. These attacks often use malware that leverages information the target provided during the initial spoofing attack. The ability to exploit trusted relationships or bypass access controls also allow spoofing attacks to compromise computing systems through methods such as a denial-of-service (DoS) or man-in-the-middle (MITM) attacks. A DoS attack deprives a system of its resources by making repeated requests for services in an attempt to overwhelm the system. An MIT in attack is so named because attackers place a process under their control between two legitimate entities on the system.
The effect of a successful spoofing attack in business terms can include a ransomware attack, in which the attacker promises to restore service in exchange for some type of payment. It can cause a business’s website to spread malware to other systems. Another kind of spoofing attack within a business context is a business email compromise (BEC), which consists of the attacker posing as a manager to trick an employee into transferring funds to an account that the attacker owns.
Even if a spoofing attack doesn't include a specific demand for payment, it can result in negative consequences such as legal repercussions, damage to reputation, and customer confidence loss. These risks illustrate the importance of learning about different types of spoofing attacks currently in use and understanding how to detect and prevent them.
An IP spoofing attack involves the attacker sending IP packets to the target system that hide the attacker's identity. This type of spoofing attack is most common in DoS attacks where the attacker attempts to overwhelm the target system sending many packets to recipients from the spoofed IP address. This technique floods the real IP address with responses from the targeted system, resulting in a disruption of service. Another goal of IP address spoofing is to use the IP address of users or devices to access a network.
Attackers conduct spoofing over the phone by causing their caller id information to appear as if the caller is someone they trust, increasing the victim’s probability of taking the call. This approach includes using a name and number that’s similar or even identical to that of the trusted party. The spoofer may use a phone number that shares the first few digits as a number familiar to the target. Another option is to use a number from the victim’s area, known more specifically as neighbor spoofing. These techniques rely on victims not noticing any discrepancies in the caller ID information until they pick up the phone.
Once the victim answers, the spoofer will represent some official organization, such as a loan officer. The spoofer’s ultimate goal in this conversation will be to persuade the victim to provide personal information or transfer funds to an account that the spoofer owns.
The attacker in email spoofing sends an email to the victim with a sender address that resembles a trusted party. This type of spoofing is often part of a phishing campaign to obtain sensitive information. A victim who fails to scrutinize the sender’s address will usually fail to notice any differences from the trusted party's address. Common techniques for accomplishing this include using characters in the email address that are difficult to see or closely resemble other characters. The email message will often contain malware that executes when the victim clicks on a link.
Website spoofing involves the attacker creating a website that looks like one from an organization that the victim trusts, complete with logos and other branding information. It's often a key part of a phishing campaign in which an email contains a link that brings up a fake web page that appears to be a login screen for an account the victim uses, usually for a bank or other financial institution. The message also prompts victims to enter their login information, generally part of a security verification process. The attacker will then harvest this information for use in some future attack or outright financial fraud.
ARP allows a Local Area Network (LAN) to resolve an IP address to a Media Access Control (MAC) address, transmitting data. An ARP spoofing attack involves attackers sending messages with false data across a LAN to link a legitimate IP address with their own MAC address. An attacker can then access and modify data intended for the recipient at the IP address.
Another tactic in ARP spoofing is for attackers to use their own MAC address to respond to legitimate network users’ requests. Attackers can place packets into the network traffic between two hosts in a way that allows them to read that data. This technique can allow attackers to extract valuable data from the traffic, mostly session tokens. This information can provide the attacker with complete access to application accounts. ARP spoofing is often combined with other types of attacks such as the DoS attacks, MITM attacks, and session hijacking.
DNS resolves domain names to IP addresses similar to ARP results in IP addresses to MAC addresses. Therefore, attackers can use DNS server spoofing to create corrupt information in the DNS cache that allows them to impersonate the domain name for that host. Assume for this example that an attacker successfully spoofs the domain name www.onlinebanking.com. That attacker can then pose a website to obtain information that a user would only knowingly provide to www.onlinebamking.com.
Attackers can also use DNS server spoofing to gain unauthorized access to other hosts, making this type of spoofing highly effective for conducting MITM attacks. In some cases, these attackers can redirect the victim to a fake website containing malware. DNS server spoofing is much easier when the attacker has already spoofed the victim's IP address.
Education is one of the most effective ways of detecting spoofing attacks. Users must always keep a careful watch for signs of spoofing, such as a phishing email. These messages often use poor grammar, spelling, or overall sentence construction that you don't expect from a professional organization, especially any financial institution. These messages also overemphasize the need to take immediate action to create a sense of panic in the recipient. Close inspection of spoofing emails may also show that the sender's email address differs from only one character’s authentic address. Detection and response solutions can also help your organization detect spoofing attacks before they succeed.
It's imperative that you not click on any attachments or links in suspected spoofed messages regardless of whether you receive them by email or some other means. Verify that a message is authentic by contacting the purported sender through other means rather than the message’s contact information. Similarly, you should open a new browser window and directly enter the URL for the purported sender instead of using the message’s link.
A variety of tools are readily available to help prevent spoofing attacks. For example, a spam filter can prevent you from receiving many phishing emails. Many organizations also use software to prevent spam phone calls from reaching their users. These solutions may also protect against some types of spoofing attacks, further reducing their potential to cause harm.
Certain practices can also increase an organization's resistance to spoofing attacks. For example, a network should avoid using trusted relationships to authenticate users, which can somehow exploit all spoofing attacks. In addition, packet filtering solutions can remove suspect packets from network traffic to prevent an IP spoofing attack. These solutions generally look at packet contents to identify those with conflicting information on their source address. Additional methods of preventing spoofing attacks include secure network protocols like HTTP Secure (HTTPS) and Secure Shell (SSH).