Beware Spoofing Attacks

The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.

What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following 11 types are growingly impactful for the enterprise these days.

ARP Spoofing
This one is a common source of man-in-the-middle attacks. To execute it, a cybercriminal inundates a local area network with falsified Address Resolution Protocol (ARP) packets in order to tamper with the normal traffic routing process. The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication. As if these adverse effects weren’t enough, ARP spoofing can also serve as a launchpad for DDoS attacks.

MAC Spoofing
In theory, every network adapter built into a connected device should have a unique Media Access Control (MAC) address that won’t be encountered elsewhere. In practice though, a clever hack can turn this state of things upside down. An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the criminal masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he can pass himself off as a trusted user and orchestrate frauds like business email compromise (BEC), steal data, or deposit malware onto the digital environment.

IP Spoofing
To perform this attack, the adversary sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. The reason is that it’s hard for digital infrastructure to filter such rogue packets, given that each one appears to hail from a different address and therefore the crooks feign legitimate traffic quite persuasively. Furthermore, this technique can be leveraged to get around authentication systems that use a device’s IP address as a critical identifier.

DNS Cache Poisoning (DNS Spoofing)
Every tech-savvy user knows the Domain Name Server (DNS) wiki: it maps domain names to specific IP addresses so that people type easy-to-remember URLs in the browser rather than enter the underlying IP strings. Threat actors may be able to contort this mapping logic by piggybacking on known DNS server caching flaws. As a result of this interference, the victim runs the risk of going to a malicious replica of the intended domain. From a cybercriminal’s perspective, that’s a perfect basis for phishing hoaxes that look really true-to-life.

Email Spoofing
Core email protocols aren’t immaculate and might yield quite a few options for an attacker to misrepresent certain message attributes. One of the common vectors of this abuse boils down to modifying the email header. The outcome is that the sender address (shown in the “From” field) appears to match a legitimate one while actually coming from an entirely different source. The attacker can cash in on this inconsistency to impersonate a trusted person such as a co-worker, a senior executive, or a contractor. The above-mentioned BEC scams heavily rely on this exploitation, making social engineering efforts pull the right strings so that the victim gives the green light to a fraudulent wire transfer without a second thought.

Website Spoofing
A con artist may try to dupe a target organization’s employees into visiting a “carbon copy” of a website they routinely use for their work. Unfortunately, black hats are becoming increasingly adept at mimicking the layout, branding, and sign-in forms of legitimate web pages. Pair that with the DNS spoofing trick mentioned above – and the sketchy combo becomes extremely difficult to identify. However, faking a website is a half-baked tactic unless it’s backed by a phishing email that lures the recipient into clicking a malicious link. Criminals typically leverage such a multi-pronged stratagem to steal authentication details or distribute malware that provides them with backdoor access to an enterprise network. URL\website spoofing may also lead to identity theft.

Caller ID Spoofing
Although this is an old school scheme, it’s still alive and kicking these days. To pull it off, ill-minded individuals exploit loopholes in the functioning of telecommunications gear to fabricate caller details you see on your phone’s screen. Obviously, the use cases aren’t isolated to prank calls. The attacker may spoof a caller ID to pass himself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. The aim of this type of a spoofing attack is to hoodwink you into disclosing personal info or paying non-existent bills.

Text Message Spoofing
As opposed to caller ID spoofing, this technique isn’t necessarily used for dodgy purposes. One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Unfortunately, crooks can weaponize this tech in a snap. A typical scenario of a text message spoofing attack is where a scammer substitutes the SMS sender ID with a brand name the recipient trusts. This impersonation chicanery can become a springboard for spear phishing, data theft, and increasingly prolific gift card scams zeroing in on organizations.

Extension Spoofing
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.

GPS Spoofing
With users increasingly relying on geolocation services to reach a destination or avoid traffic jams, cybercriminals may try to manipulate a target device’s GPS receiver into signaling inaccurate whereabouts. What’s the rationale behind doing this? Well, nation states can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. That being said, the enterprise isn’t really on the sidelines of this phenomenon. Here’s a hypothetical example: a perpetrator may interfere with the navigation system built into the vehicle of a CEO who is in a hurry for an important meeting with a potential business partner. As a result, the victim will take a wrong turn, only to get stuck in traffic and be late for the meeting. This could undermine the future deal.

Facial Spoofing
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.

How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:

  • Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
  • Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
  • Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
  • Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
  • Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
  • Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.

Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:

  • Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
  • Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
  • Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
  • Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
  • Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box. 

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

This article was first published in Security Magazine

You Might Also Read:

Google Search Results Spoofed To Create Fake News:

 

 

 

 

« WEBINAR: How to design a least privilege architecture in AWS
Fighting Fake News With Cyber Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Skybox Security

Skybox Security

Skybox combines firewall and network device data with vulnerability and threat intelligence, putting security decisions in your unique network context.

InAuth

InAuth

InAuth Security Platform delivers advanced device identification, risk detection, and analysis capabilities to help organizations limit risk and reduce fraud.

Ionic Security

Ionic Security

Ionic provide a high-assurance data protection and control platform built on strong encryption, fine-grain control and contextual analytics.

Malta Information Technology Agency (MITA)

Malta Information Technology Agency (MITA)

MITA is the central driver of Government Information and Communications Technology (ICT) policy, programmes and initiatives in Malta.

Cyberint

Cyberint

Cyberint, the Impactful Intelligence company, fuses open-deep-and darkweb Threat Intelligence with Attack Surface Management to deliver maximum protection from external threats.

Cequence Security

Cequence Security

Cequence, a pioneer in API security and bot management, is the only solution that delivers Unified API Protection (UAP), uniting discovery, compliance, and protection.

Department of Justice & Equality - Cybercrime Division

Department of Justice & Equality - Cybercrime Division

The Cybercrime division is responsible for developing policy in relation to the criminal activity and coordinating a range of different cyber initiatives at national and international level.

At-Bay

At-Bay

At-Bay offer an end-to-end solution to cyber risk with comprehensive risk assessment, a tailored cyber insurance policy and year-long, active, risk-management service.

WhiteHawk

WhiteHawk

WhiteHawk is the first online Cyber Security Exchange. We help you understand your cyber risk and match you to tailored and affordable solutions.

Athreon

Athreon

Athreon utilizes a fusion of AI technology, human interpretation, and the latest in cybersecurity to deliver sound business solutions that help our clients make better data-driven decisions.

BastionZero

BastionZero

BastionZero is leveraging cryptography to reimagine the tools used to manage remote access to servers, containers, clusters, applications and databases across cloud and on-prem environments.

Filigran

Filigran

Filigran provides threat intelligence, adversary simulation and crisis response open solutions to thousands of cybersecurity and crisis management teams across the world.

Technation

Technation

Technation proudly represents the Canadian technology companies that are furthering our nation and the world into the future through innovation, creativity and ingenuity.

PureID

PureID

Protect your enterprise with PureAUTH #IAMFirewall, Resilient SSO platform, purpose built to provide Passwordless Authentication & Zero Trust Access, by default.

Nova Microsystems

Nova Microsystems

Nova's mission is to revolutionize cybersecurity through continuous data analysis and dynamic AI-driven encryption.

Swick Technologies (SWICKtech)

Swick Technologies (SWICKtech)

SWICKtech offer IT managed services to increase IT security, stability, and performance for your organization.