Spoofing attacks are deliberately falsified to mislead and appear to be from a legitimate source. For example, spoofed phone numbers making mass robo-calls; spoofed emails sending mass spam; forged websites used to mislead and gather personal information. Spoofing can be used to gain access to a target’s personal information, spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-of-service attack.

Spoofing attacks include several different types that some of the most common methods include IP address spoofing attacks, MAC spoofing, ARP spoofing attacks and DNS server spoofing attacks.

Successful attacks on organizations can lead to infected computer systems and networks, data breaches, and/or loss of revenue—all liable to affect the organization’s public reputation.

FBI recently released a report on cybercrime in 2019 (you can read the report here). On page 19 of this report, Spoofing attack is mentioned as the fifth attack that has most victims. In fact, 25789 people or organizations have been victims of this attack. On page 20 of the same report, we see that the attack has caused about $ 300 million in damage to individuals and organizations, and is in third place.

Source: forcepoint.com



How Spoofing Works ?

The attacker’s first step is to gain the victim’s trust or to attacker can make victim curios. So the attacker must be able to forge an identity. The identity can be an IP address, website URL or contact information. For example, a spoofed email from Amazon might inquire about purchases you never made. Concerned about your account, you might be motivated to click the included link.

Well, you’re trapped. From that malicious link, scammers will send you to a malware download or a faked login page—complete with a familiar logo and spoofed URL—for the purpose of harvesting your username and password.

Do you see much resemblance between spoofing and phishing’s attacks? They are so similar that sometimes it is difficult to distinguish them. It can be said that spoofing’s attack could be a prelude to phishing’s attack.



What Are the Types of Spoofing? 

Spoofing attacks come in many forms, primarily:

  • Email spoofing
  • IP address spoofing
  • ARP Spoofing
  • MAC spoofing
  • Website and/or URL spoofing
  • Man-in-the-middle attacks
  • Caller ID spoofing
  • Facial spoofing
  • Text message spoofing
  • DNS server spoofing
  • GPS spoofing
  • Extension spoofing


Email spoofing 

Email spoofing attack is the act of sending emails with false sender addresses. These emails may include links to malicious websites or attachments infected with malware, or they may use social engineering to convince the recipient to freely disclose sensitive information. Typical payloads for malicious emails include ransomware, adware, cryptojackers, Trojans, malware or botnet (see this post).

Spoofing emails will typically include a combination of deceptive features: False sender address designed to look like it’s from someone you know and trust—possibly a friend, coworker, family member, or company you do business with. Even a bug in Gmail allows scammers to send emails with no sender address.

In the case of a company or organization, the email may include familiar branding; e.g. logo, colors, font, call to action button, etc. Email scammers don’t spend much time proofreading their own work. Email spoofs often have typos—or worse. Be careful. Bizarre sentences should give you a reason to be suspicious.

Learning more about e-mail spoofing attack is here.

Source: malwarebytes.com  and  forcepoint.com


IP Address spoofing 

IP address spoofing is one of the most frequently used spoofing attack methods. This type is used when someone wants to hide or disguise the location from which they’re sending or requesting data online.

To perform this attack, the attacker sends Internet Protocol packets that have a falsified source address. This is a way to obfuscate the actual online identity of the packet sender and thereby impersonate another computer. IP spoofing is often used to set DDoS attacks in motion. In fact, attackers will spoof a target’s IP address in a denial-of-service attack to overwhelm the victim with traffic. The attacker will send packets to multiple network recipients, and when packet recipients transmit a response, they will be routed to the target’s spoofed IP address.

IP spoofing attacks can also be used to bypass IP address-based authentication. This process can be very difficult and is primarily used when trust relationships are in place between machines on a network and internal systems. Trust relationships use IP addresses (rather than user logins) to verify machines’ identities when attempting to access systems. This enables malicious parties to use spoofing attacks to impersonate machines with access permissions and bypass trust-based network security measures.

Read more about this attack in here.

Source:  en.wikipedia.org  and  cybersecurityintelligence.com  and   veracode.com


ARP spoofing 

Let’s first get acquainted with the role and function of the ARP Protocol. There is good information here.

But ARP spoofing attack is a common source of man-in-the-middle attacks. To execute it, a cyber-criminal inundates a LAN with falsified ARP packets in order to tamper with the normal traffic routing process.

The logic of this interference boils down to binding the adversary’s MAC address with the IP address of the target’s default LAN gateway. In the aftermath of this manipulation, all traffic is redirected to the malefactor’s computer prior to reaching its intended destination. To top it off, the attacker may be able to distort the data before forwarding it to the real recipient or stop all network communication.

This type of spoofing attack results in data that is intended for the host’s IP address getting sent to the attacker instead. Malicious parties commonly use ARP spoofing to steal information, modify data-in-transit or stop traffic on a LAN.

ARP spoofing only works on local area networks that use the Address Resolution Protocol. ARP spoofing is commonly used to steal or modify data but can also be used in denial-of-service and man-in-the-middle attacks or in session hijacking.

Source:   cybersecurityintelligence.com  and   veracode.com


MAC spoofing 

Let’s first get acquainted with the role and function of MAC. There is good article here.

An attacker may harness imperfections of some hardware drivers to modify, or spoof, the MAC address. This way, the attacker masquerades his device as one enrolled in a target network to bypass traditional access restriction mechanisms. From there, he/she can pass himself/herself off as a trusted user. In other words, MAC spoofing is a method used to change the factory-assigned Media Access Control (MAC) address of a network interface on a networked device.

There are now good conditions for attacker to start attacks like business email compromise (BEC), man-in-the-middle, steal data, or depositing malware onto the digital environment.

Learn more about MAC spoofing attack in here.

Source:  cybersecurityintelligence.com


Website spoofing (URL spoofing) 

Website spoofing is when an attacker builds a website with a URL that closely resembles, or even copies, the URL of a legitimate website that a user knows and trusts. In addition to spoofing the URL, the attacker may copy the content and style of a website, complete with images and text. This is culmination of the close connection between the spoofing and phishing attacks. The spoofed site will look like the login page for a website you frequent—down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Attackers use these sites to gain login and other personal information from users. A spoofed website will generally be used in conjunction with an email spoof, in which the email will link to the website.

To imitate a URL, attackers can use characters from other languages or Unicode characters that look almost exactly the same as regular ASCII characters.

Source: berberis.com.ua  and  cloudflare.com


Man-in-the-Middle (MITM) attack 

MITM attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door. In this attack, a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot. The spoof comes into play when the criminals alter the communication between the parties to reroute funds or solicit sensitive personal information like credit card numbers or logins. Another form of MitM attack intercepts the data in the browser. This is called a man in the browser (MitB) attack.

Read more about MITM attack in here.

Source: csoonline.com  and  imperva.com


Caller ID spoofing 

Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn’t. The attacker may spoof a caller ID to pass himself/herself off as a person you know or as a representative of a company you do business with. In some cases, the incoming call details shown on a smartphone’s display will include a reputable brand’s logo and physical address to increase the odds of your answering the phone. Attackers can then use social engineering to convince their targets to, over the phone, provide sensitive information such as passwords, account information, social security numbers, and more.

Source: securitymagazine.com


Facial spoofing 

This type of spoofing is latest form of spoof. Facial recognition is at the core of numerous authentication systems nowadays and it is quickly extending its reach and we use our faces to unlock our mobile devices and laptops. There are scary news. Researchers have demonstrated how 3D facial models built from your pictures on social media can already be used to hack into a device locked via facial ID. Taking things a step further, the Malwarebytes Labs blog reported on deep fake technology being used to create fake news videos and fake sex tapes.

For example, security analysts have demonstrated a way to deceive the Windows 10 Hello facial recognition feature by means of a modified printed photo of the user.

But there is also good news, and that is that there are ways to deal with fraud. Read here about Anti-Spoofing Techniques for Face Recognition Solutions.

Source:  cybersecurityintelligence.com  and  malwarebytes.com


Text Message spoofing (SMS spoofing) 

This type of spoofing is sending a text message with someone else’s phone number or sender ID. If you’ve ever sent a text message from your laptop, you’ve spoofed your own phone number in order to send the text, because the text did not actually originate from your phone.

One of the ways modern businesses interact with their customers is through text messages where the originating entity is reflected as an alphanumeric string (such as the company name) rather than a phone number. Scammers use the same technique and hide their true identity behind an alphanumeric sender ID, often posing as a legitimate company or organization.

Scammers are now taking advantage of the healthy job market by posing as staffing agencies, sending victims to-good-to-be-true job offers. The spoofed texts will often include links to SMS phishing sites or malware downloads.

Read more about this type spoofing in here.

Source: en.wikipedia.org  and   cybersecurityintelligence.com  and  malwarebytes.com


DNS Server spoofing 

In a DNS server spoofing attack, a malicious party modifies the DNS server in order to reroute a specific domain name to a different IP address. In many cases, the new IP address will be for a server that is actually controlled by the attacker and contains files infected with malware. In other words, this attack allows attackers to divert traffic to a different IP address, leading victims to sites that spread malware.


Extension spoofing

This attack occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of “filename.txt.exe”. Every Windows user is aware of the fact that the operating system keeps file extensions out of sight by default, so to Windows user this executable file will appear as “filename.txt”.

As soon as the user tries to open this file, the computer becomes infected. Attackers often use this type of scam to distribute worms and Trojans.

Source:  malwarebytes.com


GPS spoofing 

GPS spoofing occurs when you trick your device’s GPS into thinking you’re in one location, when you’re actually in another location. Attackers could even spoof the GPS in your car and send you to the wrong destination, or worse, send you into oncoming traffic.

Suppose the CEO of a company has to attend a meeting at a certain time to reach a very appropriate agreement. A hacker (he or she has may hired by a competing company) can manipulate the CEO’s car GPS in such a way that the CEO goes to the wrong place and fails to attend the meeting.  Also governments can employ GPS spoofing to thwart intelligence gathering and even sabotage other countries’ military facilities. So, we can say GPS spoofing is an attack in which a radio transmitter located near the target is used to interfere with a legitimate GPS signals. Radio interference can overpower weak global navigation satellite systems (GNSS) signals, causing satellite signal loss and potentially loss of positioning.

Learn more about GPS spoofing in here.

Source:  cyware.com  and   cybersecurityintelligence.com  and  malwarebytes.com



How to Protect Against Spoofing Attacks? 

  • Turn on your spam filter.
  • Don’t click on links or open attachments in emails if the email is coming from an unknown sender.
  • Log in through a separate tab or window. If you get a suspicious email or text message, requesting that you log in to your account and take some kind of action, e.g., verify your information, don’t click the provided link. Instead, open another tab or window and navigate to the site directly.
  • If you’ve received a suspicious email, supposedly from someone you know, call or text the sender and confirm that they, indeed, sent the email.
  • Examine emails for typos and grammar errors.
  • Don’t answer calls from unknown numbers. If you answer such a call, hang up immediately.
  • Not using public networks (e.g., coffee shops) when conducting sensitive transactions.
  • Show file extensions in Windows. Windows does not show file extensions by default, but you can change that setting to you’ll be able to see the spoofed extensions and avoid opening those malicious files.
  • Use a powerful anti-malware.
  • Avoiding WiFi connections that aren’t password protected.
  • If you have a voice mail account with your phone service, be sure to set a password for it.
  • Paying attention to browser notifications reporting a website as being unsecured.
  • If you answer the phone and the caller – or a recording – asks you to hit a button to stop getting the calls, you should just hang up.
  • Implement a comprehensive Email Security Solution in organization.
  • Use a web security tool.
  • Monitor web traffic generated by both the system and end user.
  • Prepare your employees for advanced attacks by educating them on the dynamics, patterns, samples and frequency of attack methods attempted on other organizations.
  • Make sure your passwords are secure, complex and updated every three months at a minimum.
  • Never give out personal information such as account numbers, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.
  • Use a leverage packet filtering. It is a great countermeasure for IP spoofing attacks because it identifies and blocks packets with invalid source address details.
  • Use cryptographic network protocols like Transport Layer Security (TLS), Secure Shell (SSH), HTTP Secure (HTTPS) and other secure communications protocols for encrypting data before it is sent.

Source: fcc.gov  and   forcepoint.com   and  malwarebytes.com