Some people choose to use the internet to gain popularity. Others prefer to keep a low profile. But there are also internet users who take this anonymity even further. And so, they trick other users about their real identity and their real intentions. Speaking of tricking, it can be just for fun. Or… it can be for harming without getting caught which, in the IT world, is called spoofing.
Spoofing can be used in many different circumstances. From creating forum profiles where you normally don’t have access to, to impersonating another person, or even a device.
If you’re twelve and not supposed to be on a certain forum or website but you fake identity to make yourself an entrance… It’s still spoofing. However, as blameful as the gesture may be, it’s probably not the kind of spoofing that internet users are afraid of.
If you think of it as to an umbrella term, you’ll find plenty of room, underneath this dark umbrella, for:
- E-mail spoofing
- Website spoofing
- IP spoofing
- DNS server spoofing
Coming up next, we will ignore the ones who fake identity by lying about their gender, age, or location. Like mentioned, there are far worse things that can happen when being misled over the web.
Once you know the general meaning of spoofing, you can easily anticipate the forms that e-mail spoofing can take.
Some would use a bogus e-mail address. Then, they would forge the e-mail header, to make it look like it came from somewhere different than the actual source. Like from your bank or PayPal or another online payment processor.
Some would use an e-mail address with a typo. Obviously, something very similar to the address of one of your contacts. Again, the purpose is to make you follow the course of action suggested in the email.
All in all, it takes advantage of you not noticing that it is not from the e-mail address/person you thought it was from.
Pretty sure this cannot happen to you? Don’t be. Just remind yourself that we all normally just skim through texts. And when we don’t read it word by word, letter by letter, it’s very easy to make wrong associations or skip fine details.
Can you or can you not tell when getting a spoof e-mail?
As easy as it is to overlook those tiny details that make all the difference, there’s still good news and bad news.
- On the plus side, most e-mail servers have implemented security features that would prevent unauthorized users to send messages.
- As a downside, spammers have beginning to use their own SMTP when blasting spam messages, which kind of brings back to the table the option of faking e-mail addresses.
Long story short, it is not impossible to find e-mails from false or misleading e-mail addresses in your inbox. 411 scams, spear-phishing, and whaling, as well as other e-mail frauds, are usually the common reason why hackers would resort to e-mail spoofing.
Unfortunately, hackers are getting better and better at impersonating persons or institutions. So much so that they can accurately reproduce even the tone of voice that a well-known sender could use when sending you legit messages.
For this reason, the best way to protect yourself from such frauds is to always stay on guard: before you doubt the source, doubt the question!
- Why is this person asking me these details?
- Is it safe to send these details over an e-mail?
- Why don’t I better check directly with the sender, over the phone, if they have indeed initiated this request?
Bottom line, in case of e-mail spoofing, sensitive information should never be sent via e-mail. If you’re getting such requests, you have all the reasons to be suspicious. And so, you either ignore the message or confirm it from a second source, whatever that means to you.
Website spoofing is luring internet users on a different website than the one they were intending to get to. Usually, that website is the creation of the attacker and it will strikingly resemble the original website. The official website of your bank, for instance, is a great target to be replicated when an attacker is trying to get confidential information from you.
One way to put this scam into practice is through… e-mail spoofing. That’s right, you first get an email from a source that you have allegedly interacted with in the past. Perhaps something with an irresistible offer in it. Only that the website you get to is a fake one, nearly identical with the original.
What can you do about website spoofing?
They say website spoofing is one of the most difficult scams to spot, especially for those who lack technical knowledge. Unfortunately, it is very common with all kinds of typosquatting (URL hijacking) attacks, but also with pharming techniques or just general setups of fake websites.
Naturally, you need to keep your eyes wide open whenever accessing a website. Particularly if it’s one where you know you’re supposed to type sensitive data! And as precaution measures, you could:
- Search the URL that you got via email on Google, before you actually access it with a click. Or check its details with a WHOIS search for that specific URL. If there’s something fishy, you should be able to spot it from such general searches, before you fall into the trap.
- If you did land on that page, before you begin typing the sensitive information you’re asked to, verify if the website has an OV or, better yet, an EV SSL certificate. Simply noticing the HTTPS as proof of encryption is not enough. These days, smart scammers have already embedded basic encryption on their websites… So, make sure that the website where you’ve landed features the type of encryption required to protect highly sensitive data.
- But perhaps the most effective protection measure of them all is to always type the URL yourself. Instead of clicking on links or typing only a few letters and then follow the auto-fill URL suggestions from the web browser, type the full URL yourself. Every. Single. Time. At least with the websites where you’re going to provide personal, sensitive information.
IP spoofing is a very common spoofing method, where attackers mask the IP address of the computer system from where they are sending data packets. By either faking it or hiding it, the attacker will overload a particular target (another computer system) with traffic. And it obviously hides its real IP to make itself untraceable. As suggested, it’s a favorite weapon for denial-of-service attacks meant to overload servers.
The attack can actually be conducted in two different ways…
- One would be to spoof the IP address of the attacker and flood a chosen target from the network with packets.
- The other one would be to spoof the IP address of the target and send packets to other systems in the network.
- Those systems will respond to the incoming packets. And since they all have the impression that they got the packet from the IP of the attack’s target, they will all send their packets to it, again, overflooding it.
In the first instance, the attack will be sent from one source with a hidden IP. In the second instance, the attack will be orchestrated with the help of the systems in the network, systems misled into thinking that the victim of the attack initially sent packets to all of them.
Aside from just trying to overload their target, IP spoofing attacks can also aim to bypass an IP address-based method of authentication inside a network. For networks that prefer IP addresses over user logins when it comes to verifying the identities of the connected machines, malicious parties can always try to pull off this trick.
Everything that an attacker must do is to impersonate one of those machines that have access permission and it will bypass the security measures of that trust-based network. Easier said than done, though far from impossible.
What can you do about IP spoofing?
Well, if you’re familiarized with special traceback router features and special traceback equipment or with administrative controls, host-based methods, and advanced router settings… Maybe there is something you can do about IP spoofing.
To kill the suspense, it takes detecting spoofed IP packets, as well as tracing them to the source, to be able to stop an attack. The detection process would involve the above-mentioned administrative controls, routers, and host-based detection methods. Whereas tracing back the spoofed packets requires tweaking the routers’ traceback features and other hardware traceback equipment.
Needless to say, given the interest that hackers have in impersonating machines that rely on IP addresses for authentication… One significant measure that companies and organizations should take is to refrain from implementing trust relationships as much as possible. Trust relationship-based authentication will only make use of IP addresses for authentication, which, as already seen, are not that hard to spoof.
DNS server spoofing
DNS stands for Domain Name System and defines a system responsible with associating domain names and IP addresses. The domain name is what you see and use to define a website (consists of letters and numbers) whereas an IP address is what systems use to define the same website (consists of a string of numbers only). To speak different languages (human language and machine language), something has to make the conversion.
That something would be the DNS, which resolves not only URLs but also email addresses and many other names that are formulated to be readable in human language, identifying their associated IP addresses. The DNS is basically making and keeping the association between a website’s name and the string of numbers that computers use to identify the same website.
Any device that connects to a network – be it a private network or even the World Wide Web, would have to rely on DNS for this conversion between human-readable names and IP addresses. If an attacker can spoof the DNS server, it will easily reroute a domain name (something written in human language, something that you type when searching for a website) to a different IP address.
That IP address would belong to a server specifically chosen by the attacker, where it has already stored malware-infected files. And by accessing it (without even knowing, because the DNS was spoofed), your computer will get infected with worms or viruses.
What can you do about DNS spoofing?
If you’re not a network admin, there’s little to nothing that you can do about preventing this issue. Security set up and maintenance tips in relationship with the DNS are quite a mouthful. And those who know what to do about it will tell you it’s a topic that you can talk about for days.
However, most of them seem to agree that it helps setting up and then maintaining the DNS servers on your own instead of paying a hosting service for this purpose. Then, after years and years of mitigating the HOSTS file in response to DNS attacks, there is this tendency to strengthen a network by re-thinking the way it is architected. So, once again, having a professional on your side, to help you with the setup and the maintenance, is a major plus.
Moreover, there is this general agreement that DNS requests must not be answered over the WAN, on any port, but especially on port 53. Even if you don’t afford to handle the DNS server in-house, not allowing the DNS server to answer Internet DNS queries is of the essence. And it will spare you from a significant amount of risks. For situations when you really must use the port 53 and answer queries, it is best to rely on RNDC keys. Equally important, you should switch those keys as often as you can.
Adjusting the TTL value is yet another useful measure, with the mention that the newly set value should hit a balance and still ensure good network performances. Something around 15 minutes could be a good call, or not. It really depends on your network needs.
Long story short, there are plenty of other things to be done, as we are only scratching the tip of the iceberg with everything from above. Nevertheless, the first step has been made and you are now at least aware of the basics. You know that this is a real and major threat. And knowing that it can often be so hard to detect but with potentially very dangerous consequences, you now have even more reasons to stay on guard.