Domain Spoofing

July 21, 2021

What is Domain Spoofing?

Domain spoofing is a form of phishing where an attacker impersonates a known business or person with fake website or email domain to fool people into the trusting them. Typically, the domain appears to be legitimate at first glance, but a closer look will reveal that a W is actually two Vs, or a lowercase L is actually a capital I. Users responding to the message or interacting with the site are tricked into revealing sensitive information, sending money or clicking on malicious links.

Beyond scamming one user at a time, spoofing also causes other problems:

  • Spoofing can be used to distribute malware and conduct other types of attacks, such as distributed denial-of-service (DDoS) attacks and man-in-the-middle attacks.
  • Attacks can use spoofing to hide their identities from law enforcement and others.
  • Attackers can redirect users to unintended sites in order to collect ad dollars; conversely, attackers can fool advertisers into bidding to place their ads on unintended sites.
  • Targeted networks may not be aware they are under attack, so they do not send alerts.
  • Spoofed IP addresses appear to be legitimate, so they may avoid being blacklisted by firewalls and other security controls.

What Are the Main Types of Domain Spoofing?

1. Email Spoofing

Attackers send emails that appear to come from a familiar sender, such as a friend, business or government agency. The fraudulent emails may contain a malicious download or link, lure the recipient to a poisoned website or redirect the user to a website they did not wish to visit.

2. Website Spoofing

Attackers register a domain that is similar to a legitimate domain. They can use this to create a site that nearly replicates the legitimate site and send spoofed emails to lure victims. Once on the spoofed site, users may be offered malicious downloads or asked to provide their personal information, such as login credentials or banking information. Spoofed websites can also be used to commit ad fraud. The scammer submits the false domain to an ad exchange in order to trick advertisers into bidding for space on the spoofed site instead of the legitimate site.

3. DNS Poisoning

DNS poisoning is a form of IP spoofing that’s harder to detect. In DNS poisoning, users attempting to reach a site are redirected to another site. For example, to prevent Chinese citizens from visiting censored sites, the Chinese government’s “Great Firewall of China” redirects users away from censored sites and onto legitimate sites of various types. The unexpected flood of traffic to these legitimate sites can cause crashes and so, when used in this manner, DNS poisoning becomes a DDoS attack.

How Domain Spoofing Attacks Work

An email spoofing attack may work like any spam, phishing or spear-phishing attack, in which an attacker spams people at random or targets users in an industry or corporation with fake messages that contain malicious links or lure users to poisoned websites. The false websites are themselves examples of domain spoofing, so it’s not unusual to see email spoofing and domain spoofing used in tandem.

Or a domain spoofing attack may be part of a larger attack, such as a DDoS attack, in which attackers use spoofed IP addresses to flood a targeted website or server until its resources are exhausted and it slows down or crashes.

Tips to Detect a Spoofed Domain

  • Scrutinize the domain for extra letters or numbers. Particularly look for characters that are easily mistaken for others, such as lowercase Ls and capital Is.
  • Check email header information. Look in the “Received from” field and “Received-SPF” fields. If the domains displayed in these fields don’t match what you know about the supposed sender, the email is spoofed. Sometimes, the data displayed in these fields will be an IP address. Check it by going to a whois lookup on a legitimate site, such as ICANN, Domain Tools or GoDaddy and entering the IP. If the results are not what you expect—for instance, if the domain appears to be hosted in Eastern Europe—then the email should not be trusted.
  • If the domain appears to be correct, check that other information matches. For example, if the email seems to come from a corporate headquarters located in California, make sure any area codes in phone numbers are from the correct city. Mouse over any hyperlinks to see if they lead where you expect. Make sure the name of the business is not a subdomain: for instance, if the email seems to come from CrowdStrike, the links should not lead to crowdstrike.customersupport.com, but from customersupport.crowdstrike.com. The correct name should always appear right before the .com or other file extension and never first.
  • Make sure there’s an SSL (secure sockets layer) certificate. An SSL certificate is a text file that authenticates the identity of a website and encrypts information sent to the server. Most websites today have SSL certificates.
  • Check the SSL certificate. Make sure the domain in the certificate is the correct domain, not a spoofed domain. In Chrome or Brave, check the certificate by clicking on the padlock icon in the address bar, and then click on “Certificate (Valid)” in the pop-up. In Firefox, do the same but instead of looking for Certificate (Valid) in the popup, click on the arrow to the right of the business name and a message declaring the security of the connection status will appear. In Safari, double-click the padlock and select “Show Certificate.”
  • Do not click links within the message or website. Instead, search for the entity and click on the link in the search results.