Beware Spoofing Attacks

The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.

What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following 11 types are growingly impactful for the enterprise these days.

ARP Spoofing
This one is a common source of man-in-the-middle attacks. To execute it, a cybercriminal inundates a local area network with falsified Address Resolution Protocol (ARP) packets in order to tamper with the normal traffic routing process. The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication. As if these adverse effects weren’t enough, ARP spoofing can also serve as a launchpad for DDoS attacks.

MAC Spoofing
In theory, every network adapter built into a connected device should have a unique Media Access Control (MAC) address that won’t be encountered elsewhere. In practice though, a clever hack can turn this state of things upside down. An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the criminal masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he can pass himself off as a trusted user and orchestrate frauds like business email compromise (BEC), steal data, or deposit malware onto the digital environment.

IP Spoofing
To perform this attack, the adversary sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. The reason is that it’s hard for digital infrastructure to filter such rogue packets, given that each one appears to hail from a different address and therefore the crooks feign legitimate traffic quite persuasively. Furthermore, this technique can be leveraged to get around authentication systems that use a device’s IP address as a critical identifier.

DNS Cache Poisoning (DNS Spoofing)
Every tech-savvy user knows the Domain Name Server (DNS) wiki: it maps domain names to specific IP addresses so that people type easy-to-remember URLs in the browser rather than enter the underlying IP strings. Threat actors may be able to contort this mapping logic by piggybacking on known DNS server caching flaws. As a result of this interference, the victim runs the risk of going to a malicious replica of the intended domain. From a cybercriminal’s perspective, that’s a perfect basis for phishing hoaxes that look really true-to-life.

Email Spoofing
Core email protocols aren’t immaculate and might yield quite a few options for an attacker to misrepresent certain message attributes. One of the common vectors of this abuse boils down to modifying the email header. The outcome is that the sender address (shown in the “From” field) appears to match a legitimate one while actually coming from an entirely different source. The attacker can cash in on this inconsistency to impersonate a trusted person such as a co-worker, a senior executive, or a contractor. The above-mentioned BEC scams heavily rely on this exploitation, making social engineering efforts pull the right strings so that the victim gives the green light to a fraudulent wire transfer without a second thought.

Website Spoofing
A con artist may try to dupe a target organization’s employees into visiting a “carbon copy” of a website they routinely use for their work. Unfortunately, black hats are becoming increasingly adept at mimicking the layout, branding, and sign-in forms of legitimate web pages. Pair that with the DNS spoofing trick mentioned above – and the sketchy combo becomes extremely difficult to identify. However, faking a website is a half-baked tactic unless it’s backed by a phishing email that lures the recipient into clicking a malicious link. Criminals typically leverage such a multi-pronged stratagem to steal authentication details or distribute malware that provides them with backdoor access to an enterprise network. URL\website spoofing may also lead to identity theft.

Caller ID Spoofing
Although this is an old school scheme, it’s still alive and kicking these days. To pull it off, ill-minded individuals exploit loopholes in the functioning of telecommunications gear to fabricate caller details you see on your phone’s screen. Obviously, the use cases aren’t isolated to prank calls. The attacker may spoof a caller ID to pass himself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. The aim of this type of a spoofing attack is to hoodwink you into disclosing personal info or paying non-existent bills.

Text Message Spoofing
As opposed to caller ID spoofing, this technique isn’t necessarily used for dodgy purposes. One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Unfortunately, crooks can weaponize this tech in a snap. A typical scenario of a text message spoofing attack is where a scammer substitutes the SMS sender ID with a brand name the recipient trusts. This impersonation chicanery can become a springboard for spear phishing, data theft, and increasingly prolific gift card scams zeroing in on organizations.

Extension Spoofing
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.

GPS Spoofing
With users increasingly relying on geolocation services to reach a destination or avoid traffic jams, cybercriminals may try to manipulate a target device’s GPS receiver into signaling inaccurate whereabouts. What’s the rationale behind doing this? Well, nation states can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. That being said, the enterprise isn’t really on the sidelines of this phenomenon. Here’s a hypothetical example: a perpetrator may interfere with the navigation system built into the vehicle of a CEO who is in a hurry for an important meeting with a potential business partner. As a result, the victim will take a wrong turn, only to get stuck in traffic and be late for the meeting. This could undermine the future deal.

Facial Spoofing
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.

How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:

  • Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
  • Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
  • Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
  • Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
  • Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
  • Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.

Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:

  • Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
  • Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
  • Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
  • Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
  • Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box. 

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

This article was first published in Security Magazine

You Might Also Read:

Google Search Results Spoofed To Create Fake News:

 

 

 

 

« WEBINAR: How to design a least privilege architecture in AWS
Fighting Fake News With Cyber Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

National Response Centre for Cyber Crime (NR3C)

National Response Centre for Cyber Crime (NR3C)

National Response Centre for Cyber Crime (NR3C) is a law enforcement agency in Pakistan dedicated to fighting cyber crime.

IPCopper

IPCopper

IPCopper specializes in network packet capture appliances for cybersecurity, cybersurveillance and network monitoring, and encrypted data storage.

APrivacy

APrivacy

APrivacy provides information and communication security products for the financial services industry.

Idemia

Idemia

Idemia is a global leader in security and identity solutions.

NetLib Security

NetLib Security

NetLib Security’s powerful, patented data security platform helps companies control data loss prevention (DLP) by managing what data can be transferred outside of their network.

Elysium Analytics

Elysium Analytics

Elysium Cognitive Security Analytics delivers the latest and most flexible security system to reduce cost and complexity while providing unmatched scalability.

Thridwayv

Thridwayv

Thirdwayv helps your enterprise realize the full potential of loT connectivity. All while neutralizing security threats that can run ruin the customer experience - and your reputation.

Collins Aerospace

Collins Aerospace

Collins Aerospace provides cybersecurity services and systems to protect critical infrastructure facilities and railroad operations.

Liberty Mutual

Liberty Mutual

Liberty Specialty Markets offers specialty and commercial insurance and reinsurance products, including Cyber, across the USA, Europe, Middle East and other international locations.

Nuts Technologies

Nuts Technologies

Nuts Technologies are simplifying data privacy and encryption with our innovative and novel data containers we call nuts based on our Zero Trust Data framework.

ShellBoxes

ShellBoxes

ShellBoxes are a leading Web3 company focused on providing top-notch blockchain security and development services.

Paperclip

Paperclip

Paperclip provides paperless solutions while enabling compliance and security for the exchange of critical content.

Eden Data

Eden Data

Eden Data is on a mission to break the outdated mold of traditional cybersecurity consulting. We handle all of your security, compliance & data privacy needs.

BugProve

BugProve

BugProve offers a firmware analysis tool that speeds up security testing processes and supports compliance needs by automating repetitive tasks and detecting 0-day vulnerabilities.

SecurityBridge

SecurityBridge

SecurityBridge provide a cybersecurity connection between our customers’ IT departments, the forward-facing business services, and their SAP applications.

Efex

Efex

Efex is one of Australia’s leading Managed Technology Solutions providers. We service local companies across Australia, providing accessible, fast and straightforward IT.