Spoofing Attacks

December 17, 2020

What is Spoofing?

Spoofing is a technique through which a cybercriminal disguises themselves as a known or trusted source. Spoofing can take many forms, such as spoofed emails, IP spoofing, DNS Spoofing, GPS spoofing, website spoofing, and spoofed calls.

In so doing, the adversary is able to engage with the target and access their systems or devices with the ultimate goal of stealing information, extorting money or installing malware or other harmful software on the device.

It is fairly common for attackers to spoof multiple points of contact, such as an email address and website, in order to initiate the communication and carry out the actual attack. For example, cybercriminals may spoof an email address in order to engage a potential victim and then use a spoofed website to capture the user’s log in credentials or other information.

In most cases, spoofing attacks also leverage phishing and social engineering techniques to spur activity or gather additional information. These methods often exploit human emotions such as excitement, curiosity, empathy or fear to act quickly or rashly. In so doing, cybercriminals trick their victims into giving up personal information, clicking malicious links, downloading infected files or paying a ransom.

2021 CrowdStrike Global Threat Report

Download the 2021 Global Threat Report to uncover trends in attackers’ ever-evolving tactics, techniques, and procedures that our teams observed this past year.

Download Now

Types of Spoofing Attacks

Spoofing attacks take many forms, from the relatively simple to advanced. Common types of spoofing attacks include:

Email Spoofing

One of the most common types of spoofing attacks is email spoofing. This occurs when an attacker purports to be a known, familiar or plausible contact by either altering the “From” field to match a trusted contact or mimicking the name and email address of a known contact. For example, a spoofed email address may use a zero (0) in place of the letter O, or substitute an uppercase I for a lower-case L. This is called a homograph attack or visual spoofing.

In most email spoofing attacks, the message contains links to malicious websites or infected attachments. The attacker may also use social engineering techniques to convince the recipient to divulge personal data or other sensitive information.

Caller ID Spoofing

Similar to email spoofing, caller ID spoofing disguises an adversary’s actual phone number with one that is familiar. If the recipient answers the phone, attackers typically pose as a customer support agent to gather personal information, such as a social security number, date of birth, banking details or even passwords. Some advanced telephone spoofing attacks can reroute the call to an international or long-distance carrier, causing the victim to rack up extensive bills.

Website or Domain Spoofing

Website spoofing is when an attacker creates a website that mimics an existing site – often by slightly changing domain names. The goal of these attacks is to have users attempt to log into their account, at which point the attacker can record their account credentials or other personal information. The attackers can then use the credentials on a trusted website or sell the information. Website spoof attacks are usually triggered by an email spoof—meaning that the attacker first reaches out using a fictitious email account and drives traffic to the spoofed website.

IP Spoofing

Attackers can alter their IP address in order to hide their real identity or impersonate another user. This technique is commonly used by advanced adversaries in a DoS attack. Using this technique, attackers alter their IP address in order to flood the victim’s site with traffic, limiting access for authentic users. Learn more about DoS attacks.

Address Resolution Protocol (ARP) Spoofing

Address Resolution Protocol (ARP) is the process of matching IP addresses to Media Access Control (MAC) addresses in order to transmit data. In an ARP spoofing attack, the adversary links their MAC to a legitimate network IP address so the attacker can receive data meant for the owner of that IP address. ARP spoofing is commonly used to steal or modify data. However, it can also be used in DoS and man-in-the-middle (MitM) attacks or in session hijacking.

GPS spoofing

GPS spoofing is the act of altering a device’s GPS so that it registers in a location different from the user’s physical location. While this technique is mostly used by players of online games, such as Pokémon GO, it has far more sinister implications. For example, GPS spoofing can be used to redirect navigation systems in vehicles of all kinds, including passenger cars, commercial airplanes, naval vessels, public busses and everything in between.

Man-in-the-middle (MitM) attack

A man-in-the-middle (MITM) attack is a type of cyberattack in which a third party infiltrates a conversation between a network user and a web application. The goal of this attack is to surreptitiously collect information, such as personal data, passwords or banking details, and/or to impersonate one party in order to solicit additional information or spur action, such as changing login credentials, completing a transaction or initiating a transfer of funds. This type of attack often includes either email spoofing, website spoofing or both in order to trigger activity and carry out the transfer of data.

Facial spoofing

One emerging spoofing technique is related to facial recognition. Since many people now use such technology to unlock their phones or apps, cybercriminals are exploring how to exploit potential vulnerabilities. For example, researchers have demonstrated that it is possible to use 3D facial models built from pictures available on social media to unlock the user’s device via face ID. Further implications for this technology include simulating embarrassing or even criminal video footage of high-profile individuals, such as celebrities, politicians and business leaders in order to extort money.

Spoofing EPP Post image

How is Spoofing done?

As described above, spoofing techniques vary based on the type of attack. For example, in email spoofing, the adversary can hack an unsecured mail server in order to hide their true identity. In a MitM attack, an adversary can create a Wi-Fi access point in order to intercept any web activity and gather personal information. There are also relatively simple or non-technical spoofing techniques, such as altering the “From” field in an email address.

Spoofing examples

In most cases, spoofing is just one component of a broader digital attack. This is because a spoofed email, website or IP address on its own is generally benign. In order to create any value, the spoofer must take the added step of gathering personal information or spurring activity through phishing or social engineering techniques.

Here we take a closer look at some real-world examples of spoofing.

Learn More

An Attack on the Financial Industry: Bokbot is a banking trojan that includes a complex piece of code written to trick victims into sending sensitive information to a command-and-control server. BokBot uses webinjects to create a replica of the original target website. Webinjects create replica websites called webfakes by rewriting URIs to forward traffic to the webfake site. The web browser is not aware that traffic is being redirected to the webfake. The replica site can scrape the victim’s browser page, screenshot it or ignore it. Webinjects have replaced keyloggers as a common method of stealing financial data. Read: Digging into BokBot's Core Module

Spear-phishing

Spear-phishing attacks try to fool people who work at particular businesses or in particular industries in order to gain access to the real target: the business itself. For example, a spear-phishing attack may initially target mid-level managers who work at financial companies in a specific geographical region and whose job title includes the word “finance.”

To execute a spear-phishing attack, adversaries may use a blend of email spoofing, dynamic URLs and drive-by downloads to bypass security controls. Advanced spear-phishing attacks may exploit zero-day vulnerabilities in browsers, applications or plug-ins. The spear-phishing attack may be an early stage in a multi-stage advanced persistent threat (APT) attack that will execute binary downloads, outbound malware communications and data exfiltration in future stages.

COVID-related attacks

During these unprecedented times of COVID-19, phishing continues to be the preferred access route for threat actors. In April 2020, Crowdstrike intelligence identified new phishing campaigns impersonating The World Health Organization (WHO). The phishing campaigns used a social engineering technique to conduct the attack. Threat actors also used spoof email addresses to deliver the “AgentTesla” information stealer using an exploit document called “Virgo.”

Cyber Front Lines Report

Get a unique front-line view and greater insight into the cyber battle these seasoned security experts are waging against today’s most sophisticated adversaries.

Download Now

How to detect Spoofing

In many cases, spoofing attacks are relatively simple to detect and prevent through diligence and awareness. We offer the following list of questions that users can reference to identify a spoofing attack:

Is this request solicited? Is the business or organization responding to a service request or are they asking me to complete a task unprompted? For example, users can often reset a password by requesting a link be sent to the email address on file. However, if a user receives such a link and request unprompted, it may be a spoofing attempt.

Does the message request sensitive information? Reputable businesses and government agencies will never ask people to share sensitive information like passwords or social security numbers in full by email or phone. They also will not send password requests via a third-party or through an external domain. If in doubt, the user should contact the company or agency directly using the contact information posted on the organization’s official website.

Is the organization using a different domain? When receiving a message that contains links, hover over the hyperlink text to preview where the link leads. Banks, doctors, schools or other legitimate service providers will never attempt to route activity or communication through a URL that does not match their current domain. You can also check that the “From” or “Sent” field matches the official domain. If the domain differs from the stated Organization’s domain, the user should contact the company or agency’s official customer service channels at once.

Does the website or link point to an HTTPS address? Secure sites almost always use HTTPS, the encrypted version of HTTP, when transferring data. Be sure the URL begins with HTTPS and features a lock icon in the address bar before accessing the site. Never click a link that does not contain these two security features.

Does the message contain an unsolicited attachment? Legitimate companies will direct users to their official website to access and download files. Never download an unsolicited attachment even from a trusted or familiar source, such as a family member or colleague.

Is the message personalized and professional? Reputable service providers will interact with customers in a personalized and professional way. Very few will begin emails or other messages with generic greetings such as, “Dear customer,” or “To whom it may concern.”

Does the correspondence contain obvious grammar and spelling errors? One of the easiest ways to spot a spoofing attempt is through poor grammar, spelling, design or branding. While some may see this as the sign of a foreign actor with a basic command of English, in fact it is a deliberate technique used by hackers to weed out savvy users and entrap easier targets.

How to protect against Spoofing?

For everyday users, the best way to protect against spoofing is by being vigilant for the signs of such an attack. As noted above, these include:

  • Never click unsolicited links or download unexpected attachments.
  • Always log into your account through a new browser tab or official app — not a link from an email or text.
  • Only access URLs that begin with HTTPS.
  • Never share personal information, such as identification numbers, account numbers or passwords, via phone or email.
  • When contacted by a customer service representative via phone or email, perform a Google search to determine if the number or address is associated with any scams.
  • Use a password manager, which will automatically enter a saved password into a recognized site (but not a spoofed site).
  • Use a spam filter to prevent a majority of spoofed emails from reaching your inbox.
  • Invest in cybersecurity software, which will detect many threats and even stop them from infecting your device.
  • Enable two-way authentication whenever possible, which makes it far more difficult for attackers to exploit.

Organizations must take additional steps to protect their business assets, customers, employees and reputation from cyberattacks. Steps include:

  • Ensure that remote services, VPNs and multifactor authentication (MFA) solutions are fully patched and properly configured and integrated.
  • Use machine learning in conjunction with anomaly detection algorithms to detect patterns associated with attacks.
  • Implement protection against unknown threats such as zero-day vulnerabilities.
  • Search for indications of malicious activity involving DMARC (Domain-based Message Authentication Reporting and Conformance), DKIM (Domain Keys Identified Mail) and SPF (Sender Policy Framework) failures.
  • Scan properties of received messages, including the Attachment Detail property, for malware-related attachment types (such as HTA, EXE and PDF) and automatically send them to be analyzed for additional malware indicators.
  • Create a robust training program for employees that educates them about the risks and indicators of spoofing attacks and other exploit techniques. Leverage attack simulators, when possible, to create a real-world training environment.

Due to the advanced nature of the threat landscape, as well as the complexity of the global business operations, organizations must leverage the latest digital technologies to stay a step ahead of online adversaries. Cloud-based security solutions are of special importance, given that they allow the organization to deploy tools quickly and support the ability to update or adapt to new threats with little downtime.

Learn how CrowdStrike Falcon can help :

CrowdStrike Services