Beware Spoofing Attacks

The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.

What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following 11 types are growingly impactful for the enterprise these days.

ARP Spoofing
This one is a common source of man-in-the-middle attacks. To execute it, a cybercriminal inundates a local area network with falsified Address Resolution Protocol (ARP) packets in order to tamper with the normal traffic routing process. The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication. As if these adverse effects weren’t enough, ARP spoofing can also serve as a launchpad for DDoS attacks.

MAC Spoofing
In theory, every network adapter built into a connected device should have a unique Media Access Control (MAC) address that won’t be encountered elsewhere. In practice though, a clever hack can turn this state of things upside down. An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the criminal masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he can pass himself off as a trusted user and orchestrate frauds like business email compromise (BEC), steal data, or deposit malware onto the digital environment.

IP Spoofing
To perform this attack, the adversary sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. The reason is that it’s hard for digital infrastructure to filter such rogue packets, given that each one appears to hail from a different address and therefore the crooks feign legitimate traffic quite persuasively. Furthermore, this technique can be leveraged to get around authentication systems that use a device’s IP address as a critical identifier.

DNS Cache Poisoning (DNS Spoofing)
Every tech-savvy user knows the Domain Name Server (DNS) wiki: it maps domain names to specific IP addresses so that people type easy-to-remember URLs in the browser rather than enter the underlying IP strings. Threat actors may be able to contort this mapping logic by piggybacking on known DNS server caching flaws. As a result of this interference, the victim runs the risk of going to a malicious replica of the intended domain. From a cybercriminal’s perspective, that’s a perfect basis for phishing hoaxes that look really true-to-life.

Email Spoofing
Core email protocols aren’t immaculate and might yield quite a few options for an attacker to misrepresent certain message attributes. One of the common vectors of this abuse boils down to modifying the email header. The outcome is that the sender address (shown in the “From” field) appears to match a legitimate one while actually coming from an entirely different source. The attacker can cash in on this inconsistency to impersonate a trusted person such as a co-worker, a senior executive, or a contractor. The above-mentioned BEC scams heavily rely on this exploitation, making social engineering efforts pull the right strings so that the victim gives the green light to a fraudulent wire transfer without a second thought.

Website Spoofing
A con artist may try to dupe a target organization’s employees into visiting a “carbon copy” of a website they routinely use for their work. Unfortunately, black hats are becoming increasingly adept at mimicking the layout, branding, and sign-in forms of legitimate web pages. Pair that with the DNS spoofing trick mentioned above – and the sketchy combo becomes extremely difficult to identify. However, faking a website is a half-baked tactic unless it’s backed by a phishing email that lures the recipient into clicking a malicious link. Criminals typically leverage such a multi-pronged stratagem to steal authentication details or distribute malware that provides them with backdoor access to an enterprise network. URL\website spoofing may also lead to identity theft.

Caller ID Spoofing
Although this is an old school scheme, it’s still alive and kicking these days. To pull it off, ill-minded individuals exploit loopholes in the functioning of telecommunications gear to fabricate caller details you see on your phone’s screen. Obviously, the use cases aren’t isolated to prank calls. The attacker may spoof a caller ID to pass himself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. The aim of this type of a spoofing attack is to hoodwink you into disclosing personal info or paying non-existent bills.

Text Message Spoofing
As opposed to caller ID spoofing, this technique isn’t necessarily used for dodgy purposes. One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Unfortunately, crooks can weaponize this tech in a snap. A typical scenario of a text message spoofing attack is where a scammer substitutes the SMS sender ID with a brand name the recipient trusts. This impersonation chicanery can become a springboard for spear phishing, data theft, and increasingly prolific gift card scams zeroing in on organizations.

Extension Spoofing
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.

GPS Spoofing
With users increasingly relying on geolocation services to reach a destination or avoid traffic jams, cybercriminals may try to manipulate a target device’s GPS receiver into signaling inaccurate whereabouts. What’s the rationale behind doing this? Well, nation states can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. That being said, the enterprise isn’t really on the sidelines of this phenomenon. Here’s a hypothetical example: a perpetrator may interfere with the navigation system built into the vehicle of a CEO who is in a hurry for an important meeting with a potential business partner. As a result, the victim will take a wrong turn, only to get stuck in traffic and be late for the meeting. This could undermine the future deal.

Facial Spoofing
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.

How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:

  • Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
  • Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
  • Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
  • Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
  • Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
  • Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.

Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:

  • Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
  • Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
  • Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
  • Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
  • Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box. 

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

This article was first published in Security Magazine

You Might Also Read:

Google Search Results Spoofed To Create Fake News:

 

 

 

 

« WEBINAR: How to design a least privilege architecture in AWS
Fighting Fake News With Cyber Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

BaseN

BaseN

BaseN is a full stack IoT Operator. We control the full value chain in order to provide ultimate scalability, fault tolerance and security to our customers.

Dubex

Dubex

Dubex is Denmark's leading business-oriented IT security specialist.

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

Digital Ship

Digital Ship

Digital Ship provides news, information, conferences and events focused on digital ship systems, information technology and security relating to maritime operations.

Bottomline Technologies

Bottomline Technologies

Bottomline Technologies is an innovator in business payment automation technology, helping companies make complex business payments simple, smart and secure.

XM Cyber

XM Cyber

XM Cyber is a leading hybrid cloud security company that’s changing the way innovative organizations approach cyber risk.

Morphus Information Security

Morphus Information Security

Morphus is an information security company providing Red Team, Blue Team and GRC services as well as conducting research in cybersecurity and threat analysis.

Cyber Tec Security

Cyber Tec Security

Cyber Tec Security is an IASME Certification Body for Cyber Essentials basic/Plus. We also provide ongoing Managed Security Services.

International Data Sanitization Consortium (IDSC)

International Data Sanitization Consortium (IDSC)

IDSC is a group composed of individuals and companies dedicated to standardizing terminology and practices across the data sanitization industry.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

GBT Technologies

GBT Technologies

GBT Technologies is a technology company focused on chip design and software to enable IoT, global mesh networks, and for applications relating to artificial intelligence.

Two Six Technologies

Two Six Technologies

Two Six Technologies delivers R&D, innovation, productization and implementation expertise in cyber, data science, mobile, microelectronics and information operations.

Cyber Defense Networking Solutions (CDNS)

Cyber Defense Networking Solutions (CDNS)

CDNS is a global network infrastructure provider whose platforms are engineered for security, optimized for speed and designed for resiliency.

Searchlight Cyber

Searchlight Cyber

Searchlight Cyber is a leading darknet intelligence company. Working with law enforcement, industry, and end users to help protect society against the threats of the darknet.

SecureClaw

SecureClaw

SecureClaw offers specialized cybersecurity consultation, various products, and a range of services to meet your company's business domain needs.

Sacumen

Sacumen

Sacumen is a niche player in the cybersecurity market, solving critical problems for security product companies.