Beware Spoofing Attacks

The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.

What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following 11 types are growingly impactful for the enterprise these days.

ARP Spoofing
This one is a common source of man-in-the-middle attacks. To execute it, a cybercriminal inundates a local area network with falsified Address Resolution Protocol (ARP) packets in order to tamper with the normal traffic routing process. The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication. As if these adverse effects weren’t enough, ARP spoofing can also serve as a launchpad for DDoS attacks.

MAC Spoofing
In theory, every network adapter built into a connected device should have a unique Media Access Control (MAC) address that won’t be encountered elsewhere. In practice though, a clever hack can turn this state of things upside down. An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the criminal masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he can pass himself off as a trusted user and orchestrate frauds like business email compromise (BEC), steal data, or deposit malware onto the digital environment.

IP Spoofing
To perform this attack, the adversary sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. The reason is that it’s hard for digital infrastructure to filter such rogue packets, given that each one appears to hail from a different address and therefore the crooks feign legitimate traffic quite persuasively. Furthermore, this technique can be leveraged to get around authentication systems that use a device’s IP address as a critical identifier.

DNS Cache Poisoning (DNS Spoofing)
Every tech-savvy user knows the Domain Name Server (DNS) wiki: it maps domain names to specific IP addresses so that people type easy-to-remember URLs in the browser rather than enter the underlying IP strings. Threat actors may be able to contort this mapping logic by piggybacking on known DNS server caching flaws. As a result of this interference, the victim runs the risk of going to a malicious replica of the intended domain. From a cybercriminal’s perspective, that’s a perfect basis for phishing hoaxes that look really true-to-life.

Email Spoofing
Core email protocols aren’t immaculate and might yield quite a few options for an attacker to misrepresent certain message attributes. One of the common vectors of this abuse boils down to modifying the email header. The outcome is that the sender address (shown in the “From” field) appears to match a legitimate one while actually coming from an entirely different source. The attacker can cash in on this inconsistency to impersonate a trusted person such as a co-worker, a senior executive, or a contractor. The above-mentioned BEC scams heavily rely on this exploitation, making social engineering efforts pull the right strings so that the victim gives the green light to a fraudulent wire transfer without a second thought.

Website Spoofing
A con artist may try to dupe a target organization’s employees into visiting a “carbon copy” of a website they routinely use for their work. Unfortunately, black hats are becoming increasingly adept at mimicking the layout, branding, and sign-in forms of legitimate web pages. Pair that with the DNS spoofing trick mentioned above – and the sketchy combo becomes extremely difficult to identify. However, faking a website is a half-baked tactic unless it’s backed by a phishing email that lures the recipient into clicking a malicious link. Criminals typically leverage such a multi-pronged stratagem to steal authentication details or distribute malware that provides them with backdoor access to an enterprise network. URL\website spoofing may also lead to identity theft.

Caller ID Spoofing
Although this is an old school scheme, it’s still alive and kicking these days. To pull it off, ill-minded individuals exploit loopholes in the functioning of telecommunications gear to fabricate caller details you see on your phone’s screen. Obviously, the use cases aren’t isolated to prank calls. The attacker may spoof a caller ID to pass himself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. The aim of this type of a spoofing attack is to hoodwink you into disclosing personal info or paying non-existent bills.

Text Message Spoofing
As opposed to caller ID spoofing, this technique isn’t necessarily used for dodgy purposes. One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Unfortunately, crooks can weaponize this tech in a snap. A typical scenario of a text message spoofing attack is where a scammer substitutes the SMS sender ID with a brand name the recipient trusts. This impersonation chicanery can become a springboard for spear phishing, data theft, and increasingly prolific gift card scams zeroing in on organizations.

Extension Spoofing
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.

GPS Spoofing
With users increasingly relying on geolocation services to reach a destination or avoid traffic jams, cybercriminals may try to manipulate a target device’s GPS receiver into signaling inaccurate whereabouts. What’s the rationale behind doing this? Well, nation states can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. That being said, the enterprise isn’t really on the sidelines of this phenomenon. Here’s a hypothetical example: a perpetrator may interfere with the navigation system built into the vehicle of a CEO who is in a hurry for an important meeting with a potential business partner. As a result, the victim will take a wrong turn, only to get stuck in traffic and be late for the meeting. This could undermine the future deal.

Facial Spoofing
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.

How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:

  • Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
  • Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
  • Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
  • Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
  • Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
  • Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.

Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:

  • Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
  • Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
  • Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
  • Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
  • Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box. 

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

This article was first published in Security Magazine

You Might Also Read:

Google Search Results Spoofed To Create Fake News:

 

 

 

 

« WEBINAR: How to design a least privilege architecture in AWS
Fighting Fake News With Cyber Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Tigerscheme

Tigerscheme

Tigerscheme is a certification scheme for information security specialists, backed by University standards and covering a wide range of expertise.

Bird & Bird

Bird & Bird

Bird & Bird is an international law firm with a focus on helping organisations being changed by technology and the digital world. Areas of expertise include cyber security.

Seavus

Seavus

Seavus is a software development and consulting company with a proven track-record in providing successful enterprise-wide business solutions including Managed Security Services.

Council for Information & Communication Technologies (CTIC)

Council for Information & Communication Technologies (CTIC)

CTIC was set up to address specific issues in the field of ICT relevant to the implementation of electronic government.

PhishX

PhishX

PhishX is a SaaS platform for security awareness that simulates Cyberthreats, train people, while measure and analysis results, reducing Cybersecurity risks for People and Companies.

Tech-Recycle

Tech-Recycle

Tech-Recycle was formed to help companies and individuals securely, ethically and easily recycle their IT and office equipment. We destroy all data passed to us safely and securely.

Ampliphae

Ampliphae

Ampliphae gives you an easy-to-deploy, sophisticated and affordable cloud-discovery, security and compliance platform.

SystemExperts

SystemExperts

SystemExperts is a premier provider of IT compliance and cyber security consulting services.

AaDya

AaDya

AaDya provide smart, simple, affordable and effective cybersecurity software solutions for small and medium businesses.

Digital Beachhead

Digital Beachhead

Digital Beachhead has the expertise to provide a range of Cyber Risk Management and other Professional Services with specifically tailored solutions at competitive prices.

GLIMPS

GLIMPS

GLIMPS-Malware automatically detects malware affecting standard computer systems, manufacturing systems, IOT or automotive domains.

Techstep

Techstep

Techstep is a complete mobile technology enabler, making positive changes to the world of work; freeing people to work more effectively, securely and sustainably.

CyberX9

CyberX9

CyberX9 helps you protect against a wide range of cyber attacks whether you are a business or a high-net worth individual under risk.

Securious

Securious

If you need to improve your cyber security or achieve cyber security accreditations, Securious provide an independent service that will identify and address your issues quickly and efficiently.

Xobee Networks

Xobee Networks

Xobee Networks is a Managed Service Provider of innovative, cost-effective, and cutting-edge technology solutions in California.

Chugach Government Solutions (CGS)

Chugach Government Solutions (CGS)

CGS performs work for the Federal Government across 4 unique core lines of business, including: Facilities Management and Maintenance, Construction, Technical IT and Cyber Services, and Educational Se