Beware Spoofing Attacks

The term “spoofing” might have a comic implication in some contexts, but it’s no joke when it comes to information security. In fact, this is a subject matter of a whole separate chapter in a seasoned cybercriminal’s handbook. It comprises a multitude of techniques aimed at camouflaging a malicious actor or device as somebody or something else. The goal is to feign trust, gain a foothold in a system, get hold of data, pilfer money, or distribute predatory software.

What can black hats try to forge to make their attacks pan out? A ton of things: an IP address, a phone number, a web page, a login form, an email address, a text message, GPS location, one’s face – you name it. Some of these hoaxes piggyback on human gullibility, while others cash in on exploiting hardware or software flaws. Out of all the nefarious scenarios that fit the mold of a spoofing attack, the following 11 types are growingly impactful for the enterprise these days.

ARP Spoofing
This one is a common source of man-in-the-middle attacks. To execute it, a cybercriminal inundates a local area network with falsified Address Resolution Protocol (ARP) packets in order to tamper with the normal traffic routing process. The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication. As if these adverse effects weren’t enough, ARP spoofing can also serve as a launchpad for DDoS attacks.

MAC Spoofing
In theory, every network adapter built into a connected device should have a unique Media Access Control (MAC) address that won’t be encountered elsewhere. In practice though, a clever hack can turn this state of things upside down. An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the criminal masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he can pass himself off as a trusted user and orchestrate frauds like business email compromise (BEC), steal data, or deposit malware onto the digital environment.

IP Spoofing
To perform this attack, the adversary sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. The reason is that it’s hard for digital infrastructure to filter such rogue packets, given that each one appears to hail from a different address and therefore the crooks feign legitimate traffic quite persuasively. Furthermore, this technique can be leveraged to get around authentication systems that use a device’s IP address as a critical identifier.

DNS Cache Poisoning (DNS Spoofing)
Every tech-savvy user knows the Domain Name Server (DNS) wiki: it maps domain names to specific IP addresses so that people type easy-to-remember URLs in the browser rather than enter the underlying IP strings. Threat actors may be able to contort this mapping logic by piggybacking on known DNS server caching flaws. As a result of this interference, the victim runs the risk of going to a malicious replica of the intended domain. From a cybercriminal’s perspective, that’s a perfect basis for phishing hoaxes that look really true-to-life.

Email Spoofing
Core email protocols aren’t immaculate and might yield quite a few options for an attacker to misrepresent certain message attributes. One of the common vectors of this abuse boils down to modifying the email header. The outcome is that the sender address (shown in the “From” field) appears to match a legitimate one while actually coming from an entirely different source. The attacker can cash in on this inconsistency to impersonate a trusted person such as a co-worker, a senior executive, or a contractor. The above-mentioned BEC scams heavily rely on this exploitation, making social engineering efforts pull the right strings so that the victim gives the green light to a fraudulent wire transfer without a second thought.

Website Spoofing
A con artist may try to dupe a target organization’s employees into visiting a “carbon copy” of a website they routinely use for their work. Unfortunately, black hats are becoming increasingly adept at mimicking the layout, branding, and sign-in forms of legitimate web pages. Pair that with the DNS spoofing trick mentioned above – and the sketchy combo becomes extremely difficult to identify. However, faking a website is a half-baked tactic unless it’s backed by a phishing email that lures the recipient into clicking a malicious link. Criminals typically leverage such a multi-pronged stratagem to steal authentication details or distribute malware that provides them with backdoor access to an enterprise network. URL\website spoofing may also lead to identity theft.

Caller ID Spoofing
Although this is an old school scheme, it’s still alive and kicking these days. To pull it off, ill-minded individuals exploit loopholes in the functioning of telecommunications gear to fabricate caller details you see on your phone’s screen. Obviously, the use cases aren’t isolated to prank calls. The attacker may spoof a caller ID to pass himself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. The aim of this type of a spoofing attack is to hoodwink you into disclosing personal info or paying non-existent bills.

Text Message Spoofing
As opposed to caller ID spoofing, this technique isn’t necessarily used for dodgy purposes. One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Unfortunately, crooks can weaponize this tech in a snap. A typical scenario of a text message spoofing attack is where a scammer substitutes the SMS sender ID with a brand name the recipient trusts. This impersonation chicanery can become a springboard for spear phishing, data theft, and increasingly prolific gift card scams zeroing in on organizations.

Extension Spoofing
Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default. Whereas this is done for the sake of better user experience, it can also fuel fraudulent activity and malware distribution. To disguise a harmful binary as a benign object, all it takes is using a double extension. For instance, an item named Meeting.docx.exe will look just like a regular Word document and will even have the right icon. It’s actually an executable though. The good news is, any mainstream security solution will alert the user whenever they try to open a file like that.

GPS Spoofing
With users increasingly relying on geolocation services to reach a destination or avoid traffic jams, cybercriminals may try to manipulate a target device’s GPS receiver into signaling inaccurate whereabouts. What’s the rationale behind doing this? Well, nation states can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. That being said, the enterprise isn’t really on the sidelines of this phenomenon. Here’s a hypothetical example: a perpetrator may interfere with the navigation system built into the vehicle of a CEO who is in a hurry for an important meeting with a potential business partner. As a result, the victim will take a wrong turn, only to get stuck in traffic and be late for the meeting. This could undermine the future deal.

Facial Spoofing
Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach. Aside from the use of this technology to unlock electronic devices such as smartphones and laptops, one’s face might become a critical authentication factor for signing documents and approving wire transfers moving forward. Cybercriminals never miss hype trains like that, so they will definitely look for and exploit weak links in the face ID implementation chain. Unfortunately, this can be fairly easy to do. For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user. Scammers with enough resources and time on their hands can undoubtedly unearth and use similar imperfections.

How to Fend off Spoofing Attacks?
The following tips will help your organization minimize the risk of falling victim to a spoofing attack:

  • Think of rebuilding your org chart. It is good when IT operations report to CISO. Architecture, applications, management and strategy remain with the IT department, but having them report to CISO helps to ensure that their priorities remain security-focused.
  • Benefit from penetration testing and red teaming. It’s hard to think of a more effective way for an organization to assess its security posture from the ground up. A professional pentester who thinks and acts like an attacker can help discover network vulnerabilities and give the IT personnel actionable insights into what needs improvement and how to prioritize their work. At the same time, the red teaming exercises will ensure an ongoing preparedness of the security team to detect and resist new attacks.
  • Get visibility across all platforms. Today, there is a wide spread of data coming from applications, cloud services, etc. The growing number of sources may impact the visibility of the CISO. To address any security issues, you should be able to monitor the cloud, mobile, and on-premise servers and have instant access to all of them in order to always be on the lookout for possible incidents and correlate all the activities.
  • Say “No” to trust relationships. Many organizations boil their device authentication down to IP addresses alone. This approach is known as trust relationships and it, obviously, can be parasitized by scammers through an IP spoofing attack.
  • Leverage packet filtering. This mechanism is used to extensively analyze traffic packets as they roam across a network. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details. In other words, if a packet is sent from outside the network but has an internal source address, it’s automatically filtered out.
  • Use anti-spoofing software. Thankfully, there are different solutions that detect the common types of spoofing attacks, including ARP and IP spoofing. In addition to identifying such attempts, anti-spoofing software will stop them in their tracks.

Extra Precautions for Personnel
Keep in mind that the security of a network is as strong as its weakest link. Don’t let the human factor be that link. Investing in a security awareness training program is definitely worth the resources spent. It will help every employee understand their role in the organization’s digital well-being. Make sure your employees know the telltale signs of a spoofing attack and adhere to the following recommendations:

  • Examine emails for typos and grammar errors. These inaccuracies in an email subject and body can be a giveaway in a phishing scenario.
  • Look for a padlock icon next to a URL. Every trustworthy website has a valid SSL certificate, which means the owner’s identity has been verified by a third-party certification authority. If the padlock symbol is missing, it most likely indicates that the site is spoofed and you should immediately navigate away. The flip side of the matter is that there are workarounds allowing malefactors to get rogue security certificates, so you are better off performing some extra checks when in doubt.
  • Refrain from clicking links in emails and social media. An email that instructs you to click an embedded link is potentially malicious. If you receive one, be sure to scrutinize the rest of the contents and double-check the sender’s name and address. Additionally, look up a few phrases from the message in a search engine – chances are that it’s part of an ongoing phishing campaign that has been reported by other users.
  • Confirm suspicious requests in person. If you have received an email, supposedly from your boss or colleague, asking you to urgently complete a payment transaction, don’t hesitate to give that person a phone call and confirm that the request is real.
  • Make file extensions visible. Windows obfuscates extensions unless configured otherwise. To avoid the double extension trick, click the “View” tab in File Explorer and check the “File name extensions” box. 

David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation. He runs Privacy-PC.com.

This article was first published in Security Magazine

You Might Also Read:

Google Search Results Spoofed To Create Fake News:

 

 

 

 

« WEBINAR: How to design a least privilege architecture in AWS
Fighting Fake News With Cyber Intelligence »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

BackupVault

BackupVault

BackupVault is a leading provider of completely automatic, fully encrypted online, cloud backup.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

eSentire

eSentire

eSentire is the authority in Managed Detection and Response Services, protecting the critical data and applications of organizations from known and unknown cyber threats.

Fastpath

Fastpath

Fastpath deliver software solutions that enable you to take control of your security, compliance and risk management initiatives.

Nettitude

Nettitude

Nettitude, an LRQA company, is an awards winning provider of cyber security, compliance, infrastructure and incident response services.

Thinklogical

Thinklogical

Thinklogical manufactures secure, KVM, video, audio, and computer peripheral signal switching solutions for defence C4ISR applications.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

ENAC

ENAC

ENAC is the national accreditation body for Spain. The directory of members provides details of organisations offering certification services for ISO 27001.

Red Alert Labs

Red Alert Labs

Red Alert Labs is an IoT security provider. We created an independent security lab with a disruptive business offer to solve the technical and commercial challenges in IoT.

Arqit Quantum

Arqit Quantum

Arqit's mission is to use transformational quantum encryption technology to keep safe the data of our governments, enterprises and citizens.

Nitrokey

Nitrokey

Nitrokey is the world-leading company in open source security hardware. Nitrokey develops IT security hardware for data encryption, key management and user authentication.

Our IT Department

Our IT Department

Our IT Department Limited is a leading IT services organisation that was founded to provide premium IT support services and the latest technology solutions.