Spoofing Attacks: What is it, how to spot it and prevent it

When we think of cyber breaches there is a general misconception that attackers target huge Multinational Corporations to get bigger rewards. Actually, small businesses are attacked more often because many companies do not have the proper infrastructure to fend of malicious attacks. Some companies might have few defence layers existing to protect but that may not be enough to protect against expert hackers using their advanced techniques.

Spoofing is camouflaging or disguising fraudulent operations and making it seem genuine. Let’s take an example, an employee getting an email that appears to come from the CEO of the company, but the email address has been spoofed to look genuine. In this case, the attacker impersonates a user or device on a network to attack, steal data, spread malicious viruses and more. To successfully implement the attack, the attackers change the sender’s name, address, and source IP to make it appear as if the email is from a company’s CEO. Most of the time the subject line will be alluring or something eliciting a click and open. There are many types of spoofing attacks that malicious parties can use to accomplish this. Some of the most common methods include IP address spoofing attacks, ARP spoofing attacks, Email spoofing and DNS server spoofing attacks.

Another popular spoofing method is caller ID spoofing which involves the attacker disguising a correct real phone number under a fake one created to scam. Some other attacks include spoofing IP address to gain access to IP based authentication networks.

MAC ID Spoofing

MAC spoofing attacks occur when an attacker alters the MAC address of their host to match another known MAC address of a target host. The attacking host then communicates with the newly configured MAC address. The attacker can gain the privileges of the same MAC id if the privileges are assigned based on the id. In  case of wireless networks, the privileges are sometimes assigned based on MAC id. Attackers on the same network coverage area can identify the connected devices and perform MAC spoofing attacks to gain access to the network. Perform security assessments in frequent intervals to identify the spoofing attack possibilities.

How to spot Email spoof attacks

To prevent yourself from falling victim to such attacks it’s always best to understand how we can spot these attacks as they happen. For instance, during an email spoofing attack, the attacker disguises the “From” field of the email to display a fake email address and sender name. The receiver finds the email genuine, even when content maybe something unexpected, out of the ordinary. Email spoofing can help send phishing messages, having a high open rate and many people tend to get scammed. Most times the attacker pretends to be someone the receiver knows from the company, even the CEO, and elicits payment to be made. Some may comply and lose their money.

Now, how to spot them?

Spotting spoofed Emails in Gmail

For Gmail users its easier, all you have to do is to open up the email you have received from the suspicious sender, and then click on the dropdown arrow underneath the sender’s name and check the mailed-by and signed-by fields for authenticity of domain and if it is there then there is a high probability that the email is genuine. The presence of a mailed-by field indicates that the email was secured using Sender Policy Framework (SPF) and when you see a signed-by field, then the email was signed by (DomainKeys Identified Mail) DKIM. SPF is a form of email authentication to validate an email message from an authorized mail server, this helps in detecting forgery and to prevents spam. DKIM uses “public key cryptography” to verify email messages and check it’s from an authorized mail server.

Spotting spoofed Emails in Outlook OWA web interface

Outlook shows indicators when the sender of a message is unverified, and either can’t be identified through email authentication protocols or their identity is different from what you see in the From address.  When Outlook can’t verify the identity of the sender using email authentication techniques, it displays a ‘?’ in the sender photo.

Check the sender’s name and address

It is always best to check the sender’s name and address to at least weed out attackers that use similar email addresses to the person’s email id they attempt to impersonate.

Reply to the message for identical email-ids

Another thing a user can do is reply to the email, when it’s the exact email id of the person the attacker has impersonated. If the reply is something different from the context of the message, you would know its fake.

How to prevent Spoofing attacks

There are several ways organizations can reduce the threat of spoofing attacks.

1. Anti-Spam Gateway

An anti-spam gateway filter is a software-based virtual appliance that is installed on-site. Spam gateway filter typically prevents the majority of spam emails.  The gateway spam filter looks at Sender Policy Framework and Recipient Verification protocols. It also identifies spam by comparing the IP address of the sending mail server against an existing blacklist.

2. Email spoofing prevention

One of the best ways to prevent email spoofing is to implement DMARC. (Domain-based Message Authentication, Reporting, and Conformance). DMARC helps email senders and receivers verify incoming messages by authenticating the sender’s domain. DMARC uses SPF and DKIM to verify that messages are authentic. SPF checks if the email sender’s domain name is genuine coming from a designated set of servers and IP’s that can send emails from that domain. DKIM adds an encrypted signature to the header of all outgoing messages. Email servers that get signed messages use DKIM to decrypt the message header and verify the message was not changed after it was sent.

To pass the DMARC check whether:

• Incoming messages are authenticated by SPF, DKIM, or both.
• The authenticated domain aligns with the domain in the message “From:” header address.

3. Avoid Posting Your Email ID Publicly in the Internet

Spammers usually collect valid email ids from the public internet. Avoid posting real email address in the public lists and forms.

4. Use Contact Forms

Use contact forms in websites instead of real Email ids. Users won’t see the email ID and instead fill out the form in the web browser will send that information to your email address.

5. Blacklisting IP addresses

Blacklisting IP addresses that are known to be used by spammers can prevent spam emails from those IPs.

6. Spam Filtering by Content

One of the most used spam filtering technique is by filtering some common words used in spam emails. Some of the most common spam words include additional income, lottery winning etc.

7. Phone caller ID spoofing prevention

It will be difficult to tell right away if an incoming call is spoofed. Do not respond to any request for personal identifying information. Use caution if you are being pressured for information immediately. Never give out personal information such as account numbers, Social Security numbers, passwords or other identifying information in response to unexpected calls or if you are at all suspicious.

Conclusion

Spoofing is undoubtedly one of the most common attacks across the globe affecting thousands of people. The worst part is that people with such malicious intent are getting more innovative in their approach coming up with new and advanced ways to spoof an IP or email. The tricks are getting harder to detect and people are losing sensitive data and money. As we discussed above there are several ways to counter this scourge and keep your sensitive data protected. It’s best for companies and people to fortify their systems using the latest cybersecurity systems and practices.

Want to gain further insights on how to better safeguard your critical assets against security threat or how to develop a strong security strategy? Talk to our cybersecurity experts!