“Spoofing” sounds funny but the consequences of a successful attack on your business are nothing to laugh at. Take control of your security and recognize the patterns of all types of spoofing attacks.
Once you’re been initiated into the world of cybersecurity, you start feeling like a hammer and every little irregularity starts looking like a nail. What’s worse is initiating yourself into this world in 2020, after a 600% increase in cybercrime during the COVID-19 pandemic. It’s astounding what boredom and economic stagnation will drive people to.
Now that I’ve given you a glimpse into my mind on the state of cybersecurity, you can understand when I tell you that you can’t be too careful when venturing your business into the Wild West of the internet. Not to worry, I’m here to help you prevent cyberattacks and protect your business from wannabe digital thieves.
Setting aside the implications of major cyberattacks like the Solar Winds breach, there are countless tried-and-true methods for cybercriminals to extract precious information from your business, like spoofing.
Overview: What is spoofing?
“Spoof” sounds like a sound effect for an airbag going off in a car or something. Sure, “spoofing” sounds like a funny word but when it comes to security it is anything but. It is the intentional act of camouflaging malicious actors and intent under the guise of legitimate behavior.
Spoofing attacks take advantage of your trust and technology to use them against you and gain access to sensitive information, infrastructure, and even your livelihood.
To make matters worse, these are almost never one-off attacks. Spoofing is an advanced persistent threat and if you’re identified as a vulnerable target with multiple weak links and attack vectors, hackers will continue to come after you until you either give them an opening or close up your weaknesses.
Some spoofing attacks take the form of social engineering (think real-life Jedi mind tricks that take the form of fake websites, emails, and phone calls), while others target your network infrastructure to gain access to your systems and data. Not to worry, all you need to address this issue is a clear understanding of the threat intelligence and an actionable plan to mitigate the risks of spoof attacks.
4 most common types of spoofing
It seems like hackers are coming up with new attack methods every single day and it’s hard to keep up with their endless creativity. I call it “creativity” because you have to have an inventive mind to search and think up new ways to exploit the vulnerable. However, these are the four most common types of spoofing that I see happening today.
1. ARP/IP spoofing
OK, we’re going to hit the ground running with a more complicated spoofing attack and I apologize for the lengthier explanations. First up is ARP spoofing. Now, ARP stands for “address resolution protocol.” Everything dealing with sending data (packets) from one computer to another is governed by protocols, like this one.
Without getting too deep into the weeds, ARP is a protocol that deals with MAC addresses (the physical address assigned to your computer) and the data sent between those MAC addresses within a local area network (think all of your devices connected to your router within your own home). Essentially ARP sorts out the connected addresses within a local network.
Let’s say you are an attacker. ARP spoofing is the act of intercepting traffic by linking your own MAC address to a legitimate IP address and sending acknowledgments back to the computer that originally sent this traffic.
The point is to trick the original sender into thinking you (the attacker) are the intended recipient of this data. This way, the sender will continue to ship traffic to you and all of the precious data that comes with it. If you choose to intercept the traffic, this is known as a MITM (man in the middle) attack, which allows you to view and/or manipulate the information you receive.
There is a little more to this attack, but all you ultimately need to know is that ARP spoofing is essentially pretending to be the recipient of data that is not yours.
IP (internet protocol) spoofing is a little different. The most common purpose of IP spoofing is mainly for denial-of-service attacks, in which an attacker creates fake IP addresses to send connection requests to a victim that cannot be fulfilled, which hogs up the bandwidth of the victim. This leads to all sorts of problems, like crashed websites, denied connections to streaming services, you name it.
Rather than use a crude and clunky metaphor to further explain this concept, I recommend you watch this video on IP spoofing denial of service attacks to get a better understanding:
These spoofing attacks are used to facilitate other kinds of attacks, such as session hijacking. Trust me, there’s a lot more that goes into this, from networking hardware, like switches, routers, network interface cards, ARP tables, and three-way handshakes, but this is all you need to really know to understand the basics of this attack.
2. Email spoofing
Email spoofing is a lot simpler than the previous attack types and is one you’ve probably encountered countless times over the years. Email spoofing is most often used in phishing or other types of social engineering attacks. An attacker sends emails to potential victims for the purposes of collecting personal information, spreading malware, tricking you into sending money, or simply blackmailing you.
Common email spoofing attack types include (but are not limited to):
- Impersonating well-known brands: Attackers send falsified emails from trusted companies with false links or instructions to send personal information.
- Impersonating your higher-ups: Attackers send falsified emails pretending to be your manager or CEO asking for sensitive information, including logins and passwords, data, or identifying information.
- Sending links to file downloads: Attackers send falsified emails appearing to be from trusted brands like Microsoft or Apple prompting you to “download updates” or other files from a provided link in order to trick you into installing malware.
These attacks are some of the most common types of hacks as they require little technical knowledge and effort on the part of the attacker.
3. Website spoofing
This type of spoof typically goes hand-in-hand with email spoofing. Website spoofing is when an attacker creates a fake (some more believable than others) website using a similar URL to a legitimate website. For example:
I just made up this fake URL on the spot; when I checked, I saw that Bank of America has already taken the initiative to redirect this misspelled address to their legitimate site. However, this is not always the case. It’s hard for brands to keep up with every single misspelling of their URL, and hackers take advantage of this at every opportunity.
These spoofed websites are created for the purpose of extracting sensitive information from you, including your login credentials, personal data, and other information. Many times these spoofed websites are sent in spoofed emails.
4. Caller ID/text message spoofing
Chances are you’ve experienced this form of spoofing far more than you care to mention. If I’m being honest, I am sick to death of getting these spoofed ID calls from spammers. I hope their mothers screw up their favorite meal this week and they cry themselves to sleep about it.
If you aren’t familiar with caller ID spoofing, it’s a method of phone scamming in which the attacker uses an online calling software to create a fake number that matches the area code of the victim they are calling or texting.
This method is meant to trick the victim into answering the phone by preying on the familiarity of the area code. After all, it’s easy to think a call or text is legitimate if it’s coming from your current area or from a previous area that you’ve lived in before.
Like most spoofing attacks, this method is used for lots of different reasons, such as collecting personal information, selling you on scams (such as IRS or tech-support scams), or selling you fake products.
How to recognize and prevent spoof attacks
Now that you have a rudimentary understanding of the most common spoofing attacks, let’s dive into the best practices for recognizing and preventing these threats.
1. Recognize and prevent ARP spoof attacks
There’s a whole list of ways to detect and prevent ARP spoofing, most of which are handled by your IT/cybersecurity team. First, let’s look at prevention.
Static ARP entry: Remember how I said ARP is a protocol meant to map out addresses within a network? Well, this is displayed through an ARP table, which is a readout of MAC/IP addresses with which your computer currently communicates.
You can view this table right now using your command prompt, entering the command “arp -a” into the prompt. This will display the known connections by their MAC address and corresponding IP address, like so:
These addresses are added to your ARP table automatically by default as you interact with new devices on a local network. This is a great way to see which devices are connected to your local network.
One way to prevent ARP spoofing is through static ARP entry, which relies on your IT team to add legitimate MAC/IP addresses to the ARP tables on your company routers.
However, when you’re dealing with massive businesses, these tables grow to enormous lengths, which makes it time-consuming and tedious to go through each MAC address one at a time to verify whether it actually corresponds to a valid IP address. I would not recommend this solution to major institutions.
Packet filtering: The easiest way to prevent ARP spoofing is by using a packet filter, which blocks packets (encapsulated data sent between computers) from sources with conflicting address information, such as MAC addresses that don’t align with legitimate IP addresses. Think of this like your water filter, which stops all the bad stuff at the faucet and only allows pure water to pour into your glass. A packet filter will stop conflicting addresses from embedding into your ARP table and prevent traffic from those suspicious addresses.
Now, let’s look at how we can detect ARP spoofing attacks outside of network and endpoint security software.
Check your ARP table: The most straightforward way to detect ARP spoofing on a small level is by checking your local ARP tables. Using the command prompt, type in the “arp -a” command to see all MAC/IP addresses with which your device communicates; if you have a record of all of the corresponding addresses, you’ll see if there are any that don’t fit.
On the off chance that you find a MAC address that doesn’t correctly match up with an IP address, you can use an ARP cache flush command “arp -a [IP address]” to eject the suspicious address from your table. However, just like running a static ARP table option for prevention, this is not a realistic solution for monitoring your local network when dealing with a large business.
Packet sniffing: This method of detection is not as funny as it sounds. In fact, unless you love looking at long lists of data packets going through your network, this is a boring (but highly effective) method for detecting malicious traffic throughout your network. Packet sniffing is conducted using a packet tracer tool like Wireshark to monitor traffic and “sniff” out malicious behavior.
Not that it means much to you at a glimpse, but here is what an ARP spoofing attack would look like to someone evaluating traffic using Wireshark.
Tools like Wireshark are a great way to get an in-depth look at your network and prevent spoofing, DDoS attacks, session hijacking, and so much more. Alright, now that I’ve sufficiently driven all of you insane with all of this technical nonsense, let’s move onto ways to prevent other, more common, spoofing attacks before your eyes start glazing over (if they haven’t already).
2. Recognize and prevent email spoofing
It’s all easier from here, trust me. Recognizing and preventing email spoofing attacks only requires you to read the warning signs and to trash emails that throw up red flags. Here are the red flags to watch out for:
- Grammatical errors in the email body text
- Misspelled URL links
- Uninitiated requests for password changes
- Pushy or overly urgent language, e.g.: “Click here or we will deactivate your account”
- Sender address doesn’t fully match up to the brand
- Uses generic greetings like “Hello Customer”
- Unnecessary email attachments (DO NOT OPEN THESE)
- Requests for information they either do not reasonably need or should already have (social security numbers, account numbers, date of birth, etc.)
At the end of it all, trust your gut. If you feel even a little bit uncomfortable with an email but aren’t sure about its authenticity, then Google the number of the business and call them directly about the matter. If it is real then they will know exactly what you are talking about and if not then you’ll know exactly which email is going in the trash bin.
3. Recognize and prevent website spoofing
OK, so despite the best efforts by everyone in Congress and Big Tech™ to reign in the digital Wild West known as the internet, there is no way you can prevent website spoofing 100% of the time. But, what you can do is recognize spoofed websites and avoid them at all costs. Similar to email spoofing, there are lots of red flags to watch out for, such as:
- Misspelled URL links
- Grammatical errors
- Mismatched logos and color schemes
- Broken links within the website
- Seemingly off-brand images
Most of these websites are shared through spoofed emails or suspicious-looking social media accounts. A great rule of thumb with the internet is to never click on anything from anyone you don’t actually know.
This rule will carry you far and prevent you from dealing with malware, unwanted ads, hacks, and personal data leaks. If you can’t 100% verify the authenticity of the website with a simple Google search of the URL, then just avoid the website altogether. Easy as pie.
4. Recognize and prevent caller ID spoofing
Dear Lord! If you know the secret for preventing calls from all spoofed phone numbers I will give you the world’s biggest hug, I promise. While some companies like Apple have made strides in blocking unwanted spam calls from spoofed numbers, the problem hasn’t been 100% solved and I’m not sure anyone can solve it. It’s like playing a game of world wide web whack-a-mole with some of the most annoying people on the planet.
With all that on the table, there are ways to recognize caller ID spoofing. Some of the warning signs are:
- Calls from random numbers with your area code
- Calls where no one answers immediately when you pick up
- Calls from area codes where you used to live but the number isn’t stored in your phone
Caller ID spoofers do their homework on you and try to scrape as much information about their lists of victims as possible from the internet. Then they will make phone calls with numbers based on areas that you’ve lived. The truth is, if you answer one of these calls or send them straight to voicemail, you’ve alerted them to the fact that someone is actually in possession of that number and will continue to harass you.
This is a hard attack to beat, especially in the corporate world, but the major rule of thumb to abide by is to never give out any company information over the phone under any circumstances to anyone you don’t already know. If you start receiving calls asking for sensitive information, immediately bring this to the attention of a supervisor.
Oh, and one more piece of information: I don’t care if it’s Apple, HP, Microsoft, or supposedly “Jeff Bezos” himself, no company will ever in a million years call you off the cuff about some “issue” with any of your devices.
If you receive an uninitiated call or text about your computer in any form, you can safely assume it’s a scam. As a former Apple Genius Bar employee, I can say for certain that these companies have better things to do than remotely monitor the operating condition of your devices.
It’s crucial to understand your vulnerabilities
While spoofing, especially social engineering spoofing, is a common threat for all businesses, it’s not the only one out there. It’s important that you stay up-to-date with the latest information on IT security and what you can do to protect your business. That’s why we are regularly releasing new cybersecurity content here on The Ascent. If you want to stay on top of all of our new releases, please consider subscribing to our newsletter.