Spoofing and How it is Used for Cyber Attacks

Finjan TeamBlog, Cybersecurity

Finjan Spoofing and How it is Used for Cyber Attacks

At the movies, a spoof is a comedy, masquerading as something else: An otherwise serious subject like a spy drama, crime caper, or action adventure, which is laced with self-mockery and comedic elements. It’s an effective strategy that pulls in fans of both comedy and the underlying genre that’s being parodied – and one which generates profits and pleasure for millions.

In the cyber realm, imitation and misdirection serve a much darker purpose – and the payoff is usually designed to favor only a select few: The perpetrators.

What is Spoofing?

Spoofing in the digital sense occurs when a malicious outsider impersonates a legitimate resource like a website, email contact, network user, resource or device, with the intention of gaining access to systems and networks to stage attacks, steal valuable information, sabotage operations, or distribute malware.

It’s a popular tactic with cyber-criminals and takes several forms.

IP Address Spoofing

Digital networks communicate by exchanging data packets, each of which has multiple file headers for routing, and to ensure the continuity of their transmission. Among these is the Source IP Address header, which gives the IP (Internet Protocol) address that a data packet is sent from.

Also referred to as IP address forgery, IP spoofing or host file hijacking, IP address spoofing occurs when an attacker manages to obtain the IP address of a legitimate host then alters the Source IP Address headers on data packets sent from their own location, so that it appears that these packets originate from the legitimate source address that they’ve hijacked.

Having masked themselves as a trusted host, the attacker is free to impersonate a web site, gain access to networks to spy or launch attacks, or to hijack web browsers.

If a user types a web address (URL or Uniform Resource Locator) into a hijacked browser, they may be misdirected to a spoofed web site designed to look just like the legitimate URL that the user typed in. There, they may unknowingly interact with malicious content concealed on the bogus page that could log their key strokes (keylogging), act as a pipeline for attackers to steal or corrupt sensitive data, install malware, or take over infected systems.

And IP spoofing is the method of choice for launching Denial of Service or DoS attacks. Here, the target may be flooded with data packets from thousands of spoofed addresses, overloading their system. Alternatively, the IP address of the target may be spoofed and used to send data packets to multiple recipients – each of which will send packets back in return – in what’s known as a reflected DDoS (Distributed Denial of Service) attack.

ARP Spoofing

The Address Resolution Protocol (ARP) is used in resolving IP addresses with Media Access Control or MAC addresses for data transmission.

ARP spoofing is done when an attacker transmits spoofed ARP communications across a local area network (LAN) so as to link their MAC address to the IP address of a legitimate network user. Any information intended for that user’s IP address will be transmitted to the assailant, instead.

For this reason, ARP spoofing is usually employed to steal data, modify it in transit, or for interfering with traffic on a LAN. The technique may also enable DoS and “man-in-the-middle” attacks and session hijacking.

DNS Server Spoofing

The Domain Name System or DNS resolves the URLs, email addresses and other text-based domain names that users type into their browsers with their associated IP addresses.

In DNS server spoofing, attackers may compromise a DNS server and reroute a given domain name to a specific IP address – usually that of a server run by the attackers themselves. Users typing in that domain name will be redirected to a server that’s typically laced with malware, viruses and worms.

Pharming

Less about agriculture, and more about harvesting fresh and unsuspecting meat.

In pharming activities, fraudsters redirect legitimate URLs to spoofed web sites that are designed to look exactly like the real thing – which in most cases is some reputable official body like a bank, law enforcement agency, or utilities company. There, user credentials and financial information may be stolen by keyloggers and other malicious technology, or demands for money may be made.

Phishing

Email Spoofing or phishing may be employed for several purposes – including as a lure to get unsuspecting recipients to click on links through to pharming websites.

The sender’s name on the fake email and text messages is usually someone known to the recipient, or the name of an organization with which they’re familiar. Subject lines and body text may be intimidating or enticing – whichever approach serves as the best bait.

The aim is to trick the recipient into divulging confidential or sensitive information in a direct response, or at a baited destination if they click through to an embedded link. These links may also lead to sites where malware can be ported onto the user’s system.

Spoofing The Military

Even the armed forces have come into the spoofers’ cross-hairs. Intelligence gathering systems have reportedly become a target for malicious elements who substitute bogus information into situational awareness data, taking advantage of communications gaps in “beyond line of sight” (BLOS) conditions to introduce additional resources or personnel onto maps, or to delete assets that might be pivotal to a given operation.

Preventing Attacks

To guard against spoofing attacks, individuals and organizations may use the following recommendations:

  • Use anti-virus software on your systems, and keep it regularly updated.
  • Install firewalls on all networks, and set policies restricting the flow of traffic to and from each system.
  • Exercise diligence and caution with email contact lists, and set email (spam) filters to manage incoming messages based on the conditions you define.
  • Don’t open attachments in unsolicited emails, and get verification from the sender (in person, or on the phone) for questionable messages and requests.
  • Use packet filtering to inspect data as it’s transmitted across your network. These tools can block packets whose source address information gives conflicting messages.
  • Use specialist spoof detection software to inspect and validate information before it’s transmitted, and to block any data that appears to have been spoofed.
  • Use secure network protocols with encryption, such as HTTP Secure (HTTPS), Secure Shell (SSH), and Transport Level Security (TLS).
  • Avoid so-called “trust relationships”, where data transfer protocols with third parties only require IP addresses to authenticate them. Intensive IP spoofing techniques may be used to impersonate systems with access privileges and bypass these trust-based controls.

Share this Post

Summary
Finjan Spoofing and How it is Used for Cyber Attacks
Article Name
A Closer Look at Spoofing and How it is Used for Cyber Attacks
Description
Spoofing occurs when a malicious outsider impersonates a legitimate resource like a website, network user or device, with the intention of doing harm.
Author
Publisher Name
Finjan
Publisher Logo