In cybersecurity slang, “spoofing” refers to a strategy in which a fraudster impersonates somebody else’s personality or credentials (personal or institutional) to earn a victim’s trust. The aim is to abuse that trust to meet the fraudster’s objective (access to a system, sensitive data, money, or installing malware).
What is spoofing?
Spoofing is an umbrella term rather than a specific type of attack or malware. It involves a cybercriminal attempting to pass as somebody else, such as a person or an organization that the victim would trust. The point is that, as the hacker earns that trust, he will use it to make the victim perform a series of unusual actions to help the hacker achieve a goal. So, whenever a digital criminal tries to pretend he’s somebody else, he’s spoofing.
Spoofing can happen through any communication channel available to both the victim and the scammer. It comes in many flavors, depending on the technological sophistication involved in each attempt.
Spoofing is an excellent example of “social engineering” in which the success of a criminal activity relies as much upon the ability of the criminal to psychologically manipulate the victim as on their degree of technical prowess. Kevin Mitnick is the most famous hacker whose exploits relied heavily on social engineering to succeed. These techniques play on the weakness of the human user as the most vulnerable link in the security chain because of fear, greed, or ignorance.
How does spoofing work?
Spoofing typically has two ingredients. First, there is the spoofed object, properly speaking. It can be a fake website, email, or something else (more on that later). Second is the element of interaction and social engineering in which the criminal tries to persuade the victim to perform a specific action.
So consider this scenario: an email arrives in the victim’s inbox. It seems legitimate and supposedly comes from a trusted senior officer in his company. The email requests the victim to transfer some money and explains why this transfer is needed. Then the spoofer is also ready to give extra persuasion if the victim doesn’t comply immediately, always keeping up his act and avoiding raising any suspicions.
On the surface, spoofing looks like a silly type of attack because it needs the victim’s collaboration to work. However, this technique functions, and it can be very harmful. A good spoof will grant the hacker network access and the chance to install malware or valuable information he can use in further attacks. Spoofing attacks on corporations can even lead to a ransomware attack which can be very costly.
Notably, spoofing is different from location spoofing/tweaking that many users carry out today for different purposes. For example, people do Pokemon Go spoofing to change your area in the game for extra fun.
Coming back to the bad spoofing, there are as many types of spoofing attacks as there are communication methods. The most common and direct involve phone calls, websites, and emails. The most complex ones involve IP addresses, DNS (Domain Name System) servers, and the ARP protocol. Let’s explore each kind.
Types of spoofing
1. Email
Email is one of the most frequent means of spoofing attacks. In this attack, the sender includes forged email headers so the recipient will take them at face value. However, a close examination of the email would reveal inconsistencies that would give the game away. But it’s frequent for the recipient to assume that the message is legitimate. For example, if they recognize a name they know as the sender, they will probably trust it without paying attention to the rest of the information.
This type of spoofing usually requests money transfers or the credentials to enter a system. As an additional “perk,” the spoofed email sometimes includes an attachment that installs malware as soon as the recipient opens it. The optimal scenario for the hacker is to use a given recipient to infect a whole network.
The social engineering element is crucial for email spoofing because it’s about persuading human beings to do something they’re not supposed to do.
2. IP spoofing
It is a spoofing attack focused on a network, not an individual user.
In IP spoofing, the objective is to access an otherwise forbidden system. The attempt consists in sending messages with false IP numbers which mimic those that could originate within that network.
Here is how it works: the criminal takes an average data package and changes the header in it (or them) using the legitimate IP address instead. That makes the package look as originating in a trusted computer within the network.
IP spoofing attacks are often the preliminary stage of a DDoS attack. However, this type of attack can bring a whole network down if you don’t stop them early. So, it’s essential to identify an IP spoofing attack as early as possible.
3. Website spoofing
Also known as URL spoofing. Here, the hacker will take a fraudulent website and disguise it as a legitimate one. So he would steal all the graphics, layout, and everything it takes to make the fake webpage like the original one. Even the URL and website names will be as close as possible to the original one.
Imagine you ask where to watch movies for free and encounter a site full of ads and malware that looks similar to a legitimate streaming website you knew about. Situations like this make this technique super harmful today.
Website spoofing is also a type of phishing attack (it often starts with a phishing email). Your criminal wants to persuade you that you are in the right place and try to log in. Then, he will have your username and password for the actual website.
4. Phone spoofing (caller ID spoofing)
In this case, the attack comes from a simple phone call. Except your phone will show you a false caller ID because the attacker has faked it. It is not an idle trick. People are more likely to answer a phone call if an unknown number looks at least vaguely familiar (for instance, if it looks like a local number).
These calls come from a Voice over Internet Protocol because these tools allow them to create a phone number and caller ID to their specifications.
If and when the call is answered, the scammer will try to talk the victim into revealing information they can use for some nefarious purpose.
5. Text message spoofing – SMS spoofing
These are SMS or text messages with false sender information.
SMS marketing is a real thing. Existing businesses will often send their customers an easy-to-remember ID so that it’s convenient for them. And then scammers will also try this to hide their identity and to steal the credibility of the business they try to impersonate. They will send phishing links or try to have you download a malware installer.
6. ARP spoofing
ARP stands for Address Resolution Protocol. The bit in network administration software enables the network to locate and reach a specific device. The bad guy sends false ARP messages over a LAN in this attack. The messages link the bad guy’s MAC address and the IP address of a device that belongs in the network. In other words: it hijacks the network connection belonging to said hardware.
7. DNS spoofing (DNS cache poisoning)
Let’s start by remembering what DNS servers do. These are the internet’s yellow pages. Your devices can’t find any server using a domain name (like www.google.com). So if your mobile or your computer is ever going to find Google so you can run the search you want, it must use Google’s IP address (8.8.8.8). So a DNS server gives you the IP address corresponding to the domain name you are looking for.
So a DNS spoofing attack falsifies the IP address of a legitimate website. Thus, your browser gets redirected to the website the hacker wants. They achieve this goal by replacing the IP address of their website in the DNS server.
8. GPS spoofing
GPS Spoofing tricks a GPS receiver into emitting a false signal that looks ok. The objective is to fake your physical position. Thus they can hack a car’s GPS or send you to an unwanted place.
9. Facial spoofing
Facial recognition technology is the latest biometric way to unlock digital devices. However, this is a very advanced type of attack in which the hacker injects false biometric information into a device.
General measures against spoofing
A little prevention goes a long way. These simple security measures against spoofing attacks can help you stay safe if you practice them regularly.
- Don’t follow unknown links.
- Don’t open attachments from unknown sources. Unwanted links and attachments will often take you to a source of malware. If you need more clarification, don’t open them.
- Ignore unrecognized emails or phone calls. Any email or phone call that doesn’t come from your contacts could be a scammer.
- Use 2FA. Two-factor authentication is not infallible, but it’s still much better than the standard username and password combo. Use it whenever available.
- Choose good passwords. A good password is long and complicated, impossible to guess because it’s not a word or phrase you can find in any book or dictionary. Also, every password should be unique to each account. If you need a password manager to keep track of all your credentials, then use one.
- Keep your sensitive information to yourself. Your personal information does not belong on the internet, period. Unless you provide it to a trusted actor in a secure environment, never surrender any sensitive information online or through SMS messages.
- Keep your devices updated.
- Mind grammar and spelling. Spoofed websites and emails are often poorly written. Pay attention and run away if you must.
Effective strategies against spoof attacks
There is no silver bullet for spoofing. Each type of attack is very different, and besides data forgery, there is almost no common ground among all the different types of spoofing. However, there is good news. In most cases, spoofing only works if the victim cooperates in some way. That means prospective victims can stop spoofing in their tracks easily with awareness. Let’s see how you can deal with each kind.
Stopping email spoofing
At the heart of the internet’s email system, there is the Simple Mail Transfer Protocol (SMTP). But unfortunately, this protocol has no authentication factors. That is why there is no way to stop email spoofing completely.
However, there are still some simple things an average user can do to reduce the probability of a spoof email attack. Most importantly, it’s about having a secure email provider and minding your cybersecurity.
- Use disposable email accounts when you open new accounts on websites. It makes it harder for your email address to end up in the lists spoofers use to send bulk attacks.
- Use a strong password. It should be long, complicated, and impossible to guess. We have a guide on choosing and managing passwords. Good passwords make a hacker’s job nearly impossible.
- Look at an email’s header if you can (some services don’t make it readily available, and mobile mail apps don’t allow you to see it). If something looks wrong, then be suspicious.
- Use spam filters.
Preventing IP spoofing
- Keep your network’s traffic under close monitoring.
- Use packet filtering so that inconsistent packages do not reach their desired target.
- Use verification methods for all remote access.
- Authenticate all the IPs.
- Make sure that at least some of your network is behind a firewall.
Avoiding website spoofing
- Look at the address bar to ensure the website is secured (you will see HTTPS instead of HTTP). A fraudulent site will not be encrypted, most probably. It is not a golden thumb rule, but an excellent place to start. You need to identify other red flags too.
- Is the grammar and spelling on the website correct? Do the colors or logos look just a little bit wrong? Is the website complete? Look for a privacy policy, for instance. Spoofed websites need to imitate all the elements in the original one.
- Use a password manager. It will never provide the correct password and username for the wrong website. Besides, it will immediately inform you that you’re not on the site you expected.
Stopping spoofed calls
- Find out if your carrier can filter out spam phone calls.
- Consider using a third-party app for this.
- Don’t answer calls from unknown numbers. The more you answer, the more you’ll keep getting.
Preventing SMS and text messaging spoofing
- Never click on a hyperlink that reached you through an SMS. If it says it’s urgent, that’s even more reason to avoid it and be suspicious.
- “Password reset” SMS is a red flag. Please don’t click on them.
- Sensitive personal information doesn’t belong in SMS and text messages. And no corporation or government agency will ever ask you to send it to them through those means.
- If your SMS offers a prize or discount that looks too good to be true, trust your intuition: it is too good. It’s a scam.
Preventing ARP poisoning or spoofing
- The best defense for individuals is a VPN.
- Organizations should use encryption for their internal traffic to avoid ARP poisoning.
- Packet filters are also effective against ARP .poisoning.
Avoiding DNS cache poisoning or spoofing.
- A VPN is the best way to avoid DNS cache poisoning.
- Scan your device with your antivirus regularly.
- Flush your DNS cache frequently.
Preventing GPS spoofing
- Anti-GPS spoofing is under development, but it won’t be a commercial product for individual users.
- Disable the GPS on your mobile device.
Preventing Facial spoofing
- Include eye blink detection in your face recognition technology. Fraudsters can’t match it.
- Use interactive detection.
Conclusion
Our beloved internet is exceedingly powerful, convenient… and unsafe. So now depend on it to complete many of our daily tasks, which means that we are continuously exposed to the net’s dangers, spoofing amongst them.
Spoofing is only one of many security risks prevalent on the internet. Still, there’s a good thing about it: as it relies heavily on the victim’s collaboration, sheer awareness prevents it from working.
So let us congratulate you! You became aware just by reading this article, which empowers you to fight spoofing successfully.
Enjoy your new empowerment, and use it to achieve every internaut’s primary goal: staying safe.
FAQs
Spoofing attempts to position a bad actor in an ideal man-in-the-middle position by trying to pass as a trusted actor. However, as a general rule, MiM attacks do not involve human beings. So spoofing is a version of MiM in which the goal is to fool a human being in the communication chain.
Yes, it can. That’s the goal of phishing emails, which often spoof websites and email addresses.
Unfortunately, spoofing in and of itself is not illegal for the most part. The answer depends on the specifics of each individual case, but spoofing is no different than wearing a mask to rob a bank. It’s not the mask that makes it dangerous or illegal.