What Is Spoofing?

: A padlock and the words What Is Spoofing

We’ve all seen movies like The Sting, Catch Me If You Can and The Good Liar. Each of these involve people who spoof identities for various reasons. Movies about cybercrime – such as Snowden, Sneakers and the venerable War Games – all involve scenes where people and machines imitate each other for one reason or another. What’s the takeaway here? Spoofing is a time-honored activity, and one type of cyberattack that often leads to a much larger hack.

Spoofing Defined

With spoofing, hackers and attackers of all types imitate people, companies and even computers with the intent to trick people into giving up personal information in order to gain access to something valuable. Spoofing can apply to emails, phone calls and websites, or it can be more technical, such as IP spoofing, Address Resolution Protocol (ARP) spoofing or Domain Name System (DNS) server. Oftentimes spoofing is used during a cyberattack to disguise the source of attack traffic.

How Spoofing Works

Spoofing happens when cybercriminals use deception to appear as another person or source of information. That person can manipulate today’s technology, such as email services and messages, or the underlying protocols that run the internet.

Why do they do this? It’s simple: Attackers target people and/or things for some form of profit.

Spoofing usually involves some type of pretext followed by an action statement.

The pretext is the initial, believable assertion, or lie, where the attacker comes up with a convincing story or idea. Sometimes, this lie involves a request from an authority. Other times, the scammer indicates that there is limited time available, and     the person or machine must act now. The key to the pretext is that it is plausible and is within the comfort level of the victim. If the pretext is too outrageous, too generic or simply not relevant, then the attacker will likely fail.

The action statement tells the victim what they must do, such as click a link or enter some information on a form. Many times, the action statement, or ask, seems fairly benign. After all, we all click on links every day. Sometimes the action statement is more forceful, such as an ask to provide a credit card number, bank information or a social security number to remedy a situation. The action statement also has to be something that the victim is capable of doing. If the attacker asks for the impossible, then usually the intended victim will ignore the social engineering attempt.


Types of Spoofing

There are many ways that attackers engage in spoofing. Some of the most common types of spoofing include phone/caller ID spoofing, GPS, website, IP address, facial, DNS and ARP.

Type of Spoof

Description

Phone/Caller ID

An attacker uses a phone app or a piece of hardware to falsify caller ID information sent across a voice network. The telephone network has no real way to verify that the spoofed phone number has been falsified and forwards that information to the unsuspecting user.

GPS

The use of an app or hardware to convince a device’s GPS to report that the device is in a different location than it actually is.

Website

An attacker creates an entire malicious website, complete with convincing landing pages. The website will often contain password reset instructions and even digital certifications to trick users into thinking that the website is a legitimate source.

Facial

The subversion of authentication systems, such as those on an Android or iPhone, that use facial recognition. In some cases, attackers have used masks or computer screens with pictures or videos of the person they wish to imitate. Increasingly, we’re seeing “deep fake” videos used to trick people, as well as authentication systems.

IP address

The traditional IPv4 protocol has no built-in authentication or encryption. Therefore, it’s easy to create fake IP addresses. It is also possible to forge IPv6 addresses, because few fully implement the IPv6 standard.

Domain Name System (DNS)

The point of the DNS system is to map user-friendly names (e.g., comptia.org) to an IP address. With DNS spoofing, attackers are able to upload bogus information to a DNS server and poison the database. The result is that an end user may think they are going to www.comptia.org, but they are actually sent to a fake website created by a hacker.

Address Resolution Protocol (ARP)

While people communicate via DNS names, computers communicate via Media Access Code (MAC) and IP addresses. The ARP resolves MAC addresses to IPv4 or IPv6 addresses. Like IPv4, ARP does not include any encryption or authentication mechanism, which allows hackers to imitate MAC addresses. This can lead to many forms of deception of both people and machines.

 

Let’s take a deeper dive into a few of these types of spoofing.

Email Spoofing

At one time or another, all of us have received emails supposedly coming from a friend or an authority figure asking us to do something. Most of the time, we can easily determine that someone is trying to trick (or phish) us. But, sometimes, those emails are pretty convincing.

Here is an example of an email that claimed to come from the U.S. Postal Service. Would you think this is a legitimate email?

A screenshot of a spoofed email that appears to be from the U.S. Postal Service

Figure 1: An email message from a spoofed source

This is actually a pretty good spoof. It has a plausible pretext, as people receive packages through the mail all the time. The email doesn’t have any misspellings, it has good graphics and it is authoritative. In other words, it has a good action statement.

But something is wrong.

  1. The first red flag is that recipient doesn’t have an account with the U.S. Postal Service.
  2. The second red flag is that all of the links go to spoofed websites. This email was created to trick the recipient into giving out sensitive information: in this case, a username, password or even credit card information.
  3. The third red flag is who the email actually came from. (Hint, it’s not the U.S. Postal Service.)

Usually when you hover the mouse over the contact name, you’ll see the actual email address the message originated from. In this case, you can see that this email didn’t really originate from the U.S. Postal Service. It really came from the address [email protected], as shown below.

 A screenshot of the email address details on a spoofed email

Figure 2: Investigating a spoofed email

It’s highly doubtful that bksamson is the U.S. Postmaster General. Being cautious and more than a little skeptical concerning email, spoof texts or spoof phone numbers is the primary way to protect yourself from email spoofing.

Pokémon Go Spoofing

A common example of GPS spoofing is Pokémon Go spoofing. The Pokémon Go game is all about gathering points based on physically traveling to specific locations. But through GPS spoofing, people can cheat by convincing the Pokémon Go app that they have been places they actually haven’t, gathering points improperly.

While the Pokémon Go spoofing example is relatively trivial, GPS spoofing is a much more serious issue when it comes to tracking apps issued by governments.

For example, many governments have proposed the use of tracking applications to help contain pandemics (e.g., COVID-19) and otherwise manage populations. Regardless of the motive behind contact tracing, the fact that it is currently possible to trick a GPS device or an application that uses a GPS device is an issue that IT professionals and government policymakers alike need to understand.

Website Spoofing

Applications such as the Social Engineering Toolkit (SET), shown below, exist to create convincing websites. Many times, these websites have seemingly legitimate names that are often convincing variations of legitimate sites.

A screenshot of the Social Engineering

Figure 3: The Social Engineering Toolkit (SET)

For example, an attacker may send a text or email directing the victim to reset a password at www.comptia1.com, instead of the legitimate website www.comptia.org.

It is even possible to obtain encryption certificates for spoofed websites. This can make the ruse even more convincing to a distracted user.

IP Address Spoofing

It is relatively easy to create – or spoof – any element of a traditional IP address. As a result, it is possible for attackers to thwart detection and trick people or machines into revealing information or unwittingly engaging in attacks.

For example, check out the following command created on a Linux system:

james@stangernet1:~/Desktop$ hping3 -a 10.18.21.24 192.168.55.56 -S -q -p 80 --flood[DM4] 

Basically, this command is telling a Linux system to send a flood of TCP SYN packets to a victim computer with the IP address of 192.168.55.56. This is an example of how a Denial of Service (DoS) attack is conducted. Similarly, when multiple systems work together to target one system, that’s known as a Distributed Denial of Service (DDoS) attack.

Going back to the above example, the command also tells the Linux system to spoof the source IP address of all of the packets. This flood of packets will have the fake source IP address of 10.18.21.24.26.

The diagram below shows the results from the above command.

A diagram illustrating what happens during a DoS attack.

Figure 4: Diagram of a DoS attack

In this attack, a flood of partial TCP synchronization commands with a spoofed source address (10.18.21.24.26) have been sent. The victim computer receives this flood of packets, and then responds to what it thinks is the correct IP address.

But because the source address is a fake, the victim system can’t respond properly. Instead, the victim will dutifully process all of these thousands of fake TCP packets again and again. Eventually the victim system will become overwhelmed and will no longer be able to work.

Plus, any responses from the victim will go to a third IP address. That third IP address might be real or fake. If the third IP address is real, then that system could become an additional victim.

How to Identify and Protect Against Spoofing Attacks

The primary way spoofers hack organizations is by tricking employees. Thankfully, most organizations have active cybersecurity programs to avoid these things.

The IT industry has created many solutions to combat malware and spoofing – and it’s always creating new ones. For example, the IPv6 specification includes effective authentication and encryption mechanisms.

The IT industry continues to adopt two-factor authentication (2FA), which is where you combine the use of biometric information (e.g., facial recognition, fingerprints) with passwords or a physical token. The use of 2FA can help reduce facial recognition system hacks, as well as phishing.

The best way to protect yourself against phishing and caller ID spoofing is to educate yourself about how to identify fake emails and websites and how to respond to unsolicited offers and demands. This is why smart organizations have regular end user training campaigns.

IT professionals can use sophisticated intrusion detection applications and security information and event management (SIEM) tools. Many times, IT pros use IP tracking services, such as IP Tracker , IP2Location and InfoSniper to track packets.

A screenshot of the IP Tracker website

Figure 5: The IP Tracker website

But, the primary way IT pros can guard against spoofing is to carefully learn all the details about the underlying network protocols and best practices necessary to run a network. This means that you should learn about the TCP/IP family of protocols, which include the Transmission Control Protocol (TCP), the Internet Protocol (IP), the User Datagram Protocol (UDP) and many others.

IT support professionals, like network administrators, need to understand not only how to run a network, but also how to secure it. Get the skills needed to secure networks with CompTIA Security+. Download the exam objectives for free to see what skills are covered.

 

 


Read more about Cybersecurity.

Tags : Cybersecurity