What Is Spoofing and Does My Team Need To Be Concerned?
Spoofing is one of many types of online scams that attempt to obtain personal information. Attackers use one of several methods of impersonating a legitimate and trusted source to convince recipients to enter data or click on links. Here is an overview of what spoofing is and what it typically looks like, as well as tips for identifying and preventing spoofing attacks.
How Spoofing Works
Spoofing occurs when an attacker conceals their true identity or that of their device to make it appear as though a phone call, email, text message, or other type of communication came from a legitimate and trusted source. There are several varieties of spoofing attacks, but the common trait is pretending to be someone (or something) they aren't. The scammers use this scheme to trick recipients into entering sensitive personal information, clicking on dangerous links, or otherwise fall prey to the attack.
Types of Spoofing Attacks
Although there are several specific types of spoofing attacks, they all follow the general theme of impersonation. Here are eleven of the most common variations of spoofing attacks.
Caller ID Spoofing
Your phone's caller ID is supposed to let you know who is calling, but modern technology has made it easy for callers to fake their numbers. A scammer may adjust their area code to look as though you are receiving a call from someone in your state or town, or even someone you know. Scammers can also make calls appear to come from various government numbers, which usually occurs in large batches.
Website spoofing is a replica of a trusted website that scammers use to lure visitors to the original site to a phishing site to obtain sensitive personal information. We see this a lot in the form of the "Living Off The Land" (LOTL) threats we cover in our weekly threat alerts.
Email spoofing uses fake emails that appear to come from legitimate companies or people the recipient knows in an attempt to convince recipients to click on dangerous links that will be used to harvest credentials or install malware.
IP spoofing utilizes false IP address information to hide the identity of the sender of online data. This type of spoofing is particularly common in Distributed Denial of Service (DdoS) attacks, as senders use an unknown identity to overwhelm servers that cannot quickly be located and resolved.
DNS Server Spoofing
Similarly, DNS server spoofing uses a fake Domain Name Server (DNS) to redirect users to a spoofed website that looks like the actual website they were attempting to access. The scammer can then capture personal information the recipient thought he or she was entering on a secure website.
ARP spoofing attackers send false ARP messages to overwhelm a particular IP address with data that was intended for many IP addresses. This can set an attacker up to conduct other types of spoofing attacks, such as session hijacking, DDoS attacks, or MitM attacks (which we cover more below).
Text Message Spoofing
Much like caller ID spoofing and email spoofing, text message spoofing conveys a false identity of the sender of a text message to convince the recipient that it is legitimate. Also known as SMS spoofing, text message spoofing attempts to get recipients to reply to a spam text or click on phishing links (aka smishing links when its SMS phishing) within the text message.
GPS spoofing allows an attacker to hide their location by interfering with nearby GPS signals. This type of spoofing utilizes a device called a GPS jammer to transmit signals that are stronger than the real GPS signals, which override the legitimate information and make the scammer's location appear to be different.
Man-in-the-Middle (MitM) Attack
MitM attacks occur when an attacker interferes with signals or messages that are sent between two devices. As a type of eavesdropping attack, the attacking device inserts itself in the middle and intercepts (and potentially alters) information by pretending to be both legitimate devices - often with neither side being wiser.
Extension spoofing uses a false file type to make a harmful file appear to be normal, allowing it to often bypass firewall policies, and encourage users to download and install it. Rather than being a legitimate file, these files typically contain malware, viruses, or other threats. An example here might be a file extension labeled as “filename.pdf.exe” or “filename.txt.pif”.
Although facial recognition was intended to be a particularly secure method of protecting data, recent facial spoofing attacks have shown how easy it is to use someone else's face to gain access to unauthorized information. A photo or video can be used to hack into banking platforms, phones, and other sensitive locations more easily than one might think, and this type of attack is often connected to identity fraud.
How to Know if You're Being Spoofed
Spoofing attacks and other types of impersonation scams often follow a couple of predictable patterns that make most attacks detectable without falling for them if you know what to look for. These emails, text messages, and other forms of communication may have frequent spelling mistakes, poor grammar, and awkward or unnatural word choices or phrasing, which can be a clear giveaway if a message is supposedly from a reputable company that would not make those errors. Spoofing attacks also often create a sense of urgency to keep you from thinking clearly and assessing the situation, especially if they are impersonating a legitimate government agency, such as claiming that you will lose your account if you do not respond immediately.
How to Protect Against Spoofing Attacks
Knowing what to look for is the key to preventing spoofing attacks because most attacks do follow at least one of the patterns we mentioned above: strange language or inviting a sense of urgency. Taking a few seconds to assess any type of communication that asks you to take action, such as clicking a link, downloading a file, or providing personal information, gives you a good chance of detecting signs that the source you are being contacted from may not be legitimate. If you are concerned about the validity of a particular message, you can also contact the company or individual directly to verify whether a particular email, text, or other piece of communication is legitimate.
History of Spoofing
Unfortunately, spoofing attacks are nothing new. Like many types of scams or ransomware, they have been around for as long as the internet itself, although they have become much more common in recent years due to threat actors' ability to scale their attacks with modern technology.
Notable Spoofing Attacks
The first major DNS spoofing attack was launched against three Florida banks in 2006, and the identity of the attacker is still unknown. This attack created fake login pages that gathered users' credit card numbers, PINs, and other sensitive information.
Email spoofing attacks are also common. The accounts payable coordinator of the drug company Upshur-Smith Laboratories was scammed by a spoofing attack pretending to be the company's CEO that convinced the coordinator to send over $50 million in wire transfers in 2014.
The insurance company Humana was also a target of a DDoS spoofing attack in 2018. This attack gained access to users' medical records and insurance information.
Entering sensitive information on a website that was not secure (HTTPS) was likely a contributing factor in these attacks, particularly the 2006 Florida bank attack. In 2021, no reputable bank should have an HTTP website, and customers should know to look for this on any website that asks for financial or other sensitive information to prevent this type of spoofing attack. Beware, however... attackers in 2021 are growing much more sophisticated. So seeing an instance of HTTP rather than HTTPS is likely rather a slip-up on the attackers part. These days, attackers are now using secure HTTPS URLs to provide the appearance of legitimacy, so always be cautious.
Although spoofing attacks are on the rise, they can also be easy to detect if you have the right solutions in place. Zix offers Email Threat Protection that includes Identity Protection, with sender verification examinations including SPF, DMARC, and DKIM tests; domain and user-level impersonation checks utilizing hypocorism and Levenshtein distance tests. This was all designed to defend against the rise in spoofing attacks. Once configured, identity and domain protection can help prevent threat actors from sending messages to you that spoof your domain, and (more specifically) from sending messages to you that spoof your company's most targeted individuals (like the CEO, CIO, CTO, and accounting team members). Don't have visibility into your top email targeted employees? Contact us today and we can help with that too.