Spoofing Attacks

What is a spoofing attack? How can you detect and prevent them?

What is a spoofing attack?

Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source. Spoofing attacks can take many forms, from the common email spoofing attacks that are deployed in phishing campaigns to caller ID spoofing attacks that are often used to commit fraud. Attackers may also target more technical elements of an organization’s network, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service, as part of a spoofing attack.

Spoofing attacks typically take advantage of trusted relationships by impersonating a person or organization that the victim knows. In some cases—such as whale phishing attacks that feature email spoofing or website spoofing—these messages may even be personalized to the victim in order to convince that person that the communication is legitimate. If the user is unaware that internet communications can be faked, they are especially likely to fall prey to a spoofing attack. 

A successful spoofing attack can have serious consequences. An attacker may be able to steal sensitive personal or company information, harvest credentials for use in a future attack or fraud attempt, spread malware through malicious links or attachments, gain unauthorized network access by taking advantage of trust relationships, or bypass access controls. They may even launch a denial-of-service (DoS) attack or a man-in-the-middle (MITM) attack.

What does this mean in business terms? Once a spoofing attack has succeeded in duping its victim, an organization could be hit with a ransomware attack or experience a costly and damaging data breach. Business email compromise (BEC), in which an attacker impersonates a manager and tricks an employee into sending money into an account that is actually owned by a hacker, is another common spoofing attack. Or, the business could find that its website is spreading malware or stealing private information. Ultimately, the company could face legal repercussions, suffer damage to its reputation, and lose the confidence of its customers. For these reasons, it’s wise to learn about the kinds of spoofing attacks that are in use today as well as how to detect and prevent them.

 

IP address spoofing attacks

In an IP spoofing attack, an attacker will send IP packets from a spoofed IP address to hide their true identity. Attackers most often use IP address spoofing attacks in DoS attacks that overwhelm their target with network traffic. In such an attack, a malicious actor will use a spoofed IP address to send packets to multiple network recipients. The owner of the real IP address is then flooded with all of the responses, potentially experiencing a disruption in network service. An attacker may also spoof a computer or device’s IP address in an attempt to gain access to a network that authenticates users or devices based on their IP address. 

Caller ID spoofing attacks

Spoofing attacks can also arrive as phone calls. In a caller ID spoofing attack, a scammer makes it appear as if their call is coming from a number the victim knows and trusts or, alternatively, a number that is associated with a specific geographic location. A caller ID spoofer may even use a number that has the same area code and the first few digits as the victim’s phone number, hoping that they will answer the call upon noticing a familiar number. This practice is known as neighbor spoofing.

If a victim of caller ID spoofing answers the call, the scammer on the other end of the line may impersonate a loan officer or other representative of an official-seeming institution. The fake representative will then often try to persuade the victim to give up sensitive information that can be used to commit fraud or perpetrate other attacks.

Email address spoofing attacks

Email spoofing involves sending emails using false sender addresses. Attackers often use email address spoofing in socially engineered phishing attacks hoping to deceive their victims into believing an email is legitimate by pretending that it came from a trusted source. If the attacker is able to trick their victims into clicking on a malicious link within the email, they can steal their login credentials, financial information, or corporate data. Phishing attacks involving email spoofing may also infect victims’ computers with malware or, in cases like business email compromise (BEC) scams, try to trick the victims into initiating a transfer of funds. Variants of phishing such as spear phishing or whaling may be carefully tailored to specific individuals within the company and tend to have a higher success rate.

Website spoofing attacks

In a website spoofing attack, a scammer will attempt to make a malicious website look exactly like a legitimate one that the victim knows and trusts. Website spoofing is often associated with phishing attacks. When a victim clicks on a link in a phishing email, the link may take them to a website that looks just like a site they use—for example, the login page to a banking site. From there, the victim will see exactly the same logo, branding, and user interface they would expect. When they provide login credentials or other personal information, however, the spoofed website will quietly harvest that information for use in an attack or fraud attempt.

ARP spoofing attacks

Address Resolution Protocol (ARP) resolves an IP address to its physical Media Access Control (MAC) address for the purpose of transmitting data across a Local Area Network (LAN). In an ARP spoofing attack, a malicious actor sends spoofed ARP messages across a local area network for the purposes of linking their own MAC address with a legitimate IP address. That way, the attacker can steal or modify data that was meant for the owner of that IP address. 

An attacker wishing to pose as a legitimate host could also respond to requests they should not be able to respond to using their own MAC address. With some precisely placed packets, an attacker can sniff the private traffic between two hosts. Valuable information can be extracted from the traffic, such as exchange of session tokens, yielding full access to application accounts that the attacker should not be able to access. ARP spoofing is sometimes employed in MITM attacks, DoS attacks, and session hijacking.

DNS server spoofing attacks

In much the same way ARP resolves IP addresses to MAC addresses on a LAN, the Domain Name System (DNS) resolves domain names to IP addresses. When conducting a DNS spoofing attack, an attacker attempts to introduce corrupt DNS cache information to a host in order to impersonate that host’s domain name—for example, www.onlinebanking.com. Once that domain name has been successfully spoofed, the attacker can then use it to deceive a victim or gain unauthorized access to another host. 

DNS spoofing can be used for a MITM attack in which a victim inadvertently sends sensitive information to a malicious host, thinking they are sending that information to a trusted source. Or, the victim may be redirected to a site that contains malware. An attacker who has already successfully spoofed an IP address could have a much easier time spoofing DNS simply by resolving the IP address of a DNS server to the attacker’s own IP address.

How to detect spoofing attacks

The best way to prevent a spoofing attack, on the user education side of things, is to keep a lookout for signs that you are being spoofed. For example, a phishing attack that uses email spoofing may feature unusual grammar, poor spelling, or awkward language. The message contained may be urgent in nature, designed to provoke panic and telling you to take immediate action. You may also notice, upon further inspection, that the sender’s email address is off by one letter or that the URL featured within the message has a slightly different spelling than it should. A best-in-class incident detection and response solution can protect your organization even further by proactively notifying you in the event that anomalous user activity is detected.

If you suspect that you have received a spoofed message, whether it has arrived via email, text, or another channel, do not click on any of the links or attachments in the message. To verify that the message is accurate, reach out to the sender using contact information that you have found on your own. Do not use any phone numbers or other addresses that may appear in the message, as they may simply connect you to the attacker. Likewise, if the message is asking you to log into an account, don’t click on the link provided but instead open up a separate tab or window in your browser and log in as you normally would. 

How to prevent spoofing attacks

Smart security tools can help you prevent spoofing attacks, as well. A spam filter will keep most phishing emails from reaching your inbox, for example. Some organizations and even some network carriers use similar software to block spam calls from reaching users’ phones. Spoofing detection software may provide additional protection against some of the kinds of spoofing attacks mentioned above, enhancing your ability to detect and halt them before they have a chance to cause any harm.

Certain best practices can also reduce your chances of falling prey to a spoofing attack. Whenever possible, avoid relying on trust relationships for authentication in your network. Otherwise, attackers can leverage those relationships to stage successful spoofing attacks. Packet filtering can prevent an IP spoofing attack since it is able to filter out and block packets that contain conflicting source address information. Using cryptographic network protocols such as HTTP Secure (HTTPS) and Secure Shell (SSH) can add another layer of protection to your environment.

Learn More About Rapid7’s Insight Cloud Platform

Security Solutions That Leave Attackers Now

Explore Our Solutions