November 03, 2022
Spoofing is an Internet fraud technique that cheats on unaware users with messages that mislead users by their mere appearance. Spoofing exploits such human vulnerability as inattentiveness. Criminals make users believe that they are reading letters from their social media support services, bank accountants, etc. After that, hackers can put their hands on users' data. It might be login/password pairs, financial credentials, etc. Essentially, spoofing is almost inseparable from phishing. Let us look at the difference between these two kinds of practices.
Spoofing vs. Phishing - What is The Difference?
Although the meanings of the two terms, "spoofing" and "phishing", are very close, they differ. Some specialists insist that while phishing is a criminal attempt to put hands on your credentials by direct negotiation and persuasion, spoofing is drawing personal data out of users by mimicking the appearance of trusted websites, email addresses, etc. These two, however, always come along, and any phishing scenario is hardly executable without spoofing.
If a fake police officer requests your data, his bogus uniform and forged badge are spoofing, while his request itself is phishing.
We can say that phishing is a goal, and spoofing is one of the means to reach that goal. Spoofing has nothing to do with the content of a fraudulent message, but it is a method of misleading its victims about the sender's identity. Imagine receiving an email from Facebook stating that all users need to reset their account passwords. You see an email address looking just like a Facebook address, a familiar dark blue Facebook letterhead, and after you follow the provided link, you end up on a site that looks just like Facebook. Each visual element, misleading you into thinking that the message is from Facebook, falls into the spoofing part of the described phishing campaign.
Types of Spoofing
Remember: everything that can be imitated, every visible element of the message, can be spoofed. Let’s give a short description of the most widespread types of spoofing.
Email letters have several elements that can serve as a disguise. The first one is the sender’s email address. It is difficult to fool a vigilant user in this field. However, a careless person might buy into simple spoofing techniques or overlook the sender’s address. The threat actors usually use an email address that resembles the proper mailbox visually (for example, [email protected] instead of [email protected]) or semantically (for instance, [email protected] instead of [email protected]).
The second thing that can help hackers gain your trust is the letter appearance. We’re talking about a letterhead or the whole body of the letter, often containing various HTML elements that make it look official. It is easy for criminals to make their letters look just like the emails sent by the company they are trying to impersonate. Moreover, they can fully copy the look of an authentic corporate framing. As a matter of psychology, this technique is very efficient. One of the most popular cover-ups for phishing/spoofing campaigns is email notifications from delivery services.
Whether a phishing campaign uses email or a message on social media, it will most likely contain a link. The website to which it directs you will probably be a forgery. Everything here follows the general principles of spoofing described above. The address of the webpage will imitate the name of a known site. However, it is hard to mimic a familiar domain name of a known website. A counterfeit webpage will try to look just like an authentic site. But if you end up on such a page, you might notice strange things, such as inactive links. Although bogus pages look like recognizable website components, they are stand-alone pages. Hackers have automatized the process of website spoofing by creating tools for ad hoc tailoring of spoofed webpages.
Criminals seldom care about linking their spoofs to real websites. That’s because spoofing doesn’t try to make you believe something; it aims to prevent any suspicion in the first place. If you find anything questionable, the spoofing has already failed. If you use a password manager or allow your browser to auto-fill credentials, note: that there will be no auto-fill for an unrecognized website. Where they can fool a human, they can’t fool a machine. Therefore, if all of a sudden, a familiar website requests a manual input of your credentials, which usually doesn’t happen, double-check this site.
Social media account spoofing
Employing fake user accounts is one of the most rampant spoofings. It does not require any special skills to perform, except for thorough social engineering. Are you attentive enough to tell your real Facebook friend from an account with the same name, avatar, photos, and friends? If you receive a message from your acquaintance with a request to follow a link, send money, install something, always check whence the request comes. Examine the page of that user. If that account is stolen, you won’t find significant differences. But if the page is fake, it least likely will have a long history. Moreover, you’ll see that person’s actual page existing alongside the fake one. Call your acquaintance, or write an email to confirm that request.
This kind of spoofing is widespread. More primitive variants imply random phone calls compensating for their ineffectiveness with their quantity. The crooks mostly call older adults and offer to get their beloved grandchildren out of jail by paying money to the police. However, today, when a phone line comes along with the Internet, you can receive a call from an unknown number, but your smartphone will show you who’s behind it. For example, “Burger King”. And this is the point where criminals take over. Be careful!
In Some cases of phone spoofing, suppose you will call them. In particular, frauds like fake Microsoft Support use the "facade" number that looks like the American one (+1...). However, the VoIP provider they use will redirect you to the number from India that will instruct you to install PUA or give them remote access. In the year 2023, this fraud became pretty popular, as many people trusted those banners.
This technique is used in different types of cyberattacks. Initially, IP spoofing is one of the approaches of DDoS attacks. The threat actor was sending the ping to the large network, substituting the sender’s IP with the IP address of the network it intends to attack. Each of the hosts in the network will likely ping back, creating the wave of messages directed to the target. If the attacker manages to send the spoofed requests to many networks, that will likely create troubles even on the powerful hosts.
Another type of IP spoofing is applied in the man in the middle attacks. That attack supposes spoofing the first IP package sent from the client to the server. That package usually contains the public key used to determine the decryption key for the data protected with HTTPS. The threat actor takes the IP address of the real sender and adds it to the package instead of his one. The same is done to all other packages passing the eavesdropped connection. In such a way, the attacker can circumvent the end-to-end encryption and read the packages sent by a victim to the server.
Ping spoofing is the method some gamers apply to obtain an advantage over other players. It is feasible in games with a specific network code. When the server does not predict the player’s position on the map and shows you only the last one known to the server, it is possible to get certain benefits that will not be possible for the players with a good network connection. Such actions are positioned as cheating and may lead to getting banned.
The cheating with ping spoofing supposes using software that manages your network connection. It creates a chain of connections that steadily increase your ping (i.e., time of the client-to-server connection) until you will not get it high enough to get the advantage. Your character will appear with a great lag to the enemy, so you can safely kill everyone you meet and return to the safe position. Most multiplayer games, however, have ping limits - you will just be kicked out of the match if it is too high.
All sites have the URL address we know and love, along with the other, less popular - represented as numbers. 184.108.40.206 - you have possibly seen them, but never paid attention. In fact, your browser does not connect to the URL you typed - it converts this URL into the corresponding address in domain name system (DNS) and then opens the page you needed. DNS acts like the address book for the Internet. And when you fake the address in the address book - someone may easily take it at face value.
Like the IP spoofing we mentioned above, DNS spoofing is often used in man-in-the-middle attacks. When the attacker controls the router that the victim uses to connect to the Internet, it can spoof the DNS address of the host the victim is attempting to connect. The sufferer will see what the crook wants - a fake login page of the targeted site is the most often case. When the victim is not attentive enough and will ignore that the established connection is not secure - it can say goodbye to the credentials typed on such a fake.
A very complicated technique may be needed to steal the identity or break through the protection based on biometric data. Three types of biometric authentication are currently in use - fingerprint, retina scanning, and facial recognition. The first and the latter are realized as authentication methods on modern smartphones. Retina scans are not very convenient, and what is more important - they require expensive and large-sized equipment. That’s why it is much more often represented in films about special agents than in real life.
Biometric spoofing will never give you 100% efficiency since it heavily relies on the imperfection of the equipment. For example, the basic method for spoofing the fingerprint - with tracing paper and duct tape - may fool only low-quality fingerprint scanners. Exactly, those are ones used in low-cost China-made smartphones. The same story is about fooling the facial recognition system. The latter on cheap devices recognizes the photo of your face, comparing it with the one recorded in the phone memory. Thus, showing a natural-size photo may be enough to unlock the phone. Meanwhile, the Galaxy S series, Google Pixel, and iPhones are equipped with facial recognition systems backed with a 3D scan of your face. It is almost impossible to fool this system without some extreme practices.
This is likely the least dangerous among all other spoofing techniques. Parents often use GPS tracking to know where their child is. One time the child wishes to have less control from their parents and looks for ways to show them the location that will not cause questions. GPS spoofing with particular apps creates fake GPS module-info, making it possible to fool the parents. Until they spot you walking with Bettie from the car window.
This example of GPS spoofing does not represent the full potential of such an action. Having the ability to set the location you wish instead of the real one may have a lot of different usages. Even outlaw - when you must stay at home (because of being under home arrest) but need to go out for some reason. We will not even mention the worst cases - when the spoofed location may be used to create an alibi.
How to Detect Spoofing Attack?
Mind that the most efficient phishing/spoofing attacks are spear attacks. That means the criminals don’t message you at random. On the contrary, they know something about you, and they want to lull your vigilance by demonstrating these breadcrumbs of knowledge to you. However, they rarely know the nuances of your life. As a result, the “uncanny valley” effect builds up. Imagine you chat with your friend, and he suddenly calls you your full name, which he never does. It is a reason to alert yourself, especially if your conversation leads to him asking you to lend him some money.
Phishing campaigns often lack proofreading. Imagine you receive an email. The spoofed letterhead might look perfect, but if you notice negligence in word spelling, grammar mistakes, typos, or absence of unified spelling of proper names, especially names of the companies, sound the alarm! For some reason, phishermen rarely have time or knowledge to check their text for errors.
Fake website addresses
If a page where you ended up looks like a part of some website, let’s say Facebook, but its second and first-level domain names look anything but “facebook.com,” the page is most likely a fraud. Something like “support.facebook.com” is ok, for “support” in this case is a third-level domain name, separated from the second-level domain name by a period. However, anything like “Facebook-support.com” is just a different website that has nothing to do with Facebook!
And a few more tips on spoofed websites. Please pay attention to the website address line and click it to see the full address. The fake website address will most likely start with HTTP (hypertext transfer protocol) instead of HTTPS(hypertext transfer protocol secure). The spoofed site will also miss a padlock icon to the left of the address line. If you have Gridinsoft Anti-Malware installed with Internet Protection, you will be warned about the dubiousness of such websites as soon as you attempt to access them.
How to Protect Yourself?
Ignore unexpected messages with dubious requests. Don’t open attachments and don’t follow links that come along with messages you haven’t been expecting. You must first ask yourself: have I been waiting for this letter? To make this question pop up in your head automatically, you need to be aware of one thing: the Internet is a jungle full of predators.
Double-check everything. If you still think the message you received is not fraud, double-check everything that can be checked. Call the phone you’ve been called from, visit the website's homepage to which you are given a link, examine the spelling of all links and addresses, etc. Try to contact the alleged sender of the message via a proven channel and ask them for confirmation of any disputed request.
Get a good antivirus program. Security software will warn you before letting you access a dangerous website. The safety program will detect and remove any malware-related consequences of a successful spoofing/phishing attack if it still happens. We advise you to use GridinSoft Anti-Malware, a versatile and quick security program whose Internet Protection will warn you about suspicious websites and block access to overtly dangerous pages. Should any malicious file end up on your computer after a phishing attack, the On-Run protection will instantly deal with it.
Stay vigilant. Regardless of how intricate fake work you deal with, make no mistake: spoofing generally aims at inexperienced users. There are information security rules that all companies follow for the sake of their customers. Phishing only works because not all people know these rules. Just as no bank, under any pretext, would call you on the phone and ask for your debit card PIN code, no company will send a link in an email to change your password. Even if there is a planned change of users’ passwords, you will be informed about it on the official website.
Hopefully, we have managed to give an easy-to-understand explanation of the spoofing techniques. Illiterate people perceive any written text as infallible. The same goes for any other media. There is no better security measure than being aware of the threats and having a notion of how everything on the Internet can be a part of a fraudulent scheme, even the spoofing phenomenon. A trusted website can be hacked, and your reliable contact’s account can be stolen. Your vigilance is the best way to secure your data, money, and privacy.
Frequently Asked Questions
When we are talking about spoofing on SMS and phone calls, you may just install the apps that filter the incoming messages and calls according to their database. The latter is full of information about the numbers used by crooks, as well as the brandings. Such a step may be very effective, especially when you receive tons of calls each day and it is hard for you to say if the number that called you is legit.
Spoofing related to IP and DNS hijacks is usually mirrored with the network monitoring software. In particular, anti-malware programs with Internet protection features may effectively stop the redirecting to a malicious site in case of DNS spoofing. IP spoofing is effectively prevented by the latest browser versions - all of the popular ones have several additional checks for connection security.