What is spoofing?

The word “spoofing” means deception or fal­si­fi­ca­tion. In other words, it involves the pretense of false facts. The verb “to spoof (something)” is also used and refers to the fal­si­fi­ca­tion of an iden­ti­fi­er – i.e. deceiving a victim and con­ceal­ing one’s actual identity.

Generally, spoofing attacks aim to convince the victim to perform an action, accept certain in­for­ma­tion as true, or recognize the authority of a source. If this sounds a little abstract, here are two examples that are well-known in the “offline” world:

1. The “marriage swindler”: To access the victim’s finances through marriage, the fraudster acts like a loving partner.
2. The “grand­child trick”: A caller claims to be an older person’s grand­child. By pre­tend­ing to be in emergency, they convince the victim to make a bank transfer.

In both cases, the “trick” takes place at the level of in­for­ma­tion. Digital systems offer even more op­por­tu­ni­ties for this kind of fraud.

The internet allows a high number of messages to be sent with little effort. At the same time, it’s rel­a­tive­ly easy to falsify iden­ti­fiers in messages. Many spoofing attacks are therefore possible, since the internet was designed as an open system. For this reason, efforts to increase online security continue to this day.

Spoofing attacks encompass a wide range of potential attack scenarios. It’s therefore not possible to take a single action that provides absolute pro­tec­tion. For­tu­nate­ly, there are several general practices that – when combined – minimize the risk of falling victim to a spoofing attack.

You can only prevent an attack by rec­og­niz­ing it as such. If a spoofing attack occurs on the level of the smallest data packages exchanged over the network, you’ll typically be none the wiser. As a result, you are not usually able to prevent attacks on the network level yourself. But security vul­ner­a­bil­i­ties on this level can be resolved with security updates from the software man­u­fac­tur­ers.

Spoofing attacks aimed directly at people are far more common – and indeed more lucrative. Here, the attacker contacts the victim directly, i.e. by email or over the phone. The intention is normally to convince the victim to do something. If the spoofing attack is intended to extract in­for­ma­tion (such as passwords or bank data), this is called a phishing attack.

Spear phishing is a par­tic­u­lar­ly dangerous type of attack, since it is aimed at a certain person or in­sti­tu­tion. A spear phishing attack uses specific in­for­ma­tion that appears credible in a message. Once the victim is convinced by the cred­i­bil­i­ty of the message, they are then hit hard and un­ex­pect­ed by the fraud­u­lent attack “like a spear.”

To make their work as easy as possible, attackers often go for the weakest link in a chain. It is therefore a good idea to minimize your vul­ner­a­bil­i­ty to attack by applying some simple, general practices. You will then be less at­trac­tive as a target. What’s more, many attacks only succeed when the attacker combines in­for­ma­tion from different sources. If little in­for­ma­tion about you is available, this will be much harder.

You should therefore in­ter­nal­ize the following practices:

A phishing attack seems more credible the more detailed in­for­ma­tion is available to the attacker. You should therefore limit the amount of publicly ac­ces­si­ble in­for­ma­tion about you, where possible. Never publish your date of birth, for example! This private in­for­ma­tion is often used by support staff, for instance, in order to verify the identity of a caller. Although it’s by no means secure, this practice is common.

Restraint is likewise important when it comes to dis­clos­ing pro­fes­sion­al details, like your position in a company. Consider updating your profiles on LinkedIn, Xing, Facebook and other platforms only after a six-month delay.

When only limited public in­for­ma­tion about your identity is available, attackers often try another trick: They create an account on social media, e.g. Facebook, and send you a friend­ship request. If you accept the in­vi­ta­tion, you open yourself up to the attacker who can then access more, non-public in­for­ma­tion. This in­for­ma­tion is fre­quent­ly used for sub­se­quent fraud attempts.

With this type of attack, it’s es­pe­cial­ly common for the attacker to create an account in the name of someone you know. If this isn’t possible, a revealing photo of an at­trac­tive person is often used for the account’s profile picture. Many victims are unable to resist temp­ta­tion and fall for the deceit.

To protect yourself from attack, you should follow standard rec­om­men­da­tions for IT security: Keep your system and software con­tin­u­ous­ly updated. Use a firewall and spam filter and create regular backups of your data.

Also be aware that these measures do not provide absolute pro­tec­tion. Instead, this col­lec­tion of measures is intended to prevent you from easily falling victim to attacks.

Default settings refer to the pre-existing settings of a device, software program, or online service. If a setting is the same for every device or user, this can be exploited by attackers. It’s therefore advisable to adjust the default settings. This will allow you to slip below the radar of attackers more easily.

For example, in the past routers with open admin access were oc­ca­sion­al­ly delivered to customers. For a while, even every Windows computer was supplied with open ports as standard, com­plete­ly exposing them to the internet. In both cases, the risk could be reduced by changing the pre-existing settings, although most users weren’t aware of this.

However, default settings are not only a potential vul­ner­a­bil­i­ty at the technical level. Privacy settings in social networks can also be far too relaxed as standard. Un­for­tu­nate­ly, many companies benefit from making their users “trans­par­ent” by default. Therefore, it’s up to you to adjust your settings. Follow the principle of data min­i­miza­tion: Start off by making all the settings for each account as re­stric­tive as possible and only gradually ease these re­stric­tions af­ter­wards for good reason.

For par­tic­u­lar­ly security-critical ap­pli­ca­tions, such as online banking and encrypted com­mu­ni­ca­tion, it is a good idea to use a secure device. This could be a small laptop running an operating system specially tailored to security. Examples include the freely available Linux dis­tri­b­u­tions Subgraph and Tails.

Using a secure device when necessary may render attacks in­ef­fec­tive: The attacker will be expecting you to use your normal computer. If their attack is based on this as­sump­tion, using another device may thwart the attack.

What should you do if you think you’re the target of a spoofing attack? Let’s imagine the following situation: You receive an email claiming to be about something important. For instance, a bank transfer has failed, your account has been hacked, or your domain reg­is­tra­tion is expiring. You are prompted to act fast to prevent something bad from happening.

Although the message appears plausible at first glance, there seems to be something odd about it. Perhaps the in­for­ma­tion presented to you doesn’t quite fit together. Or you feel overly pressured to perform a certain action.

You’re unsure whether it’s an attack. How should you proceed?

First of all: Stay calm and don’t act too hastily. If it’s an email message, you must not click on any links it contains.

Use a second com­mu­ni­ca­tion channel to confirm the au­then­tic­i­ty of the message. Here, it’s im­per­a­tive to limit the risk of potential attacks. If possible, use a separate device and a secure app that isn’t among your most fre­quent­ly used standard ap­pli­ca­tions.

Two specific examples below:

Let’s assume you have received a pre­sum­ably spoofed email on your work computer. Use an end-to-end encrypted messenger ap­pli­ca­tion on your smart­phone as a second com­mu­ni­ca­tion channel.

You have received a sus­pi­cious call or text message on your phone. Consider your phone com­pro­mised and instead use your coworker’s telephone to contact a trusted party.

These spoofing attacks aim to fool users. This special form of phishing often involves a de­cep­tive­ly real imitation of a website to extract con­fi­den­tial data.

URL spoofing attacks aim to deceive users with a ma­nip­u­lat­ed URL. The trick is to lead the user to believe that the URL is familiar or credible. However, if an un­sus­pect­ing user opens the URL, they are redi­rect­ed to a malicious website. For these URL spoofing attacks to work, the attacker needs control over the cor­re­spond­ing domain.

1. The schema of an HTML link in simple markdown notation.
2. Example of a genuine link: The link title reflects the actual website linked.
3. Example of a fraud­u­lent link: The link title suggests a harmless site and conceals the actual link des­ti­na­tion.
4. View of the fraud­u­lent link example in HTML.

To protect yourself, you can check the des­ti­na­tion URL of the link. Hold the mouse cursor over the link and you’ll see the actual des­ti­na­tion URL. Even better advice is never to click on links in emails. Instead, copy the target address of the link by right-clicking. Next, review the link in an incognito browser window. This helpful trick also works on mobile devices. You can copy the link address and then insert it into a text field before in­spect­ing it.

URLs that are not part of a clickable link are also used for spoofing attacks. Here, attackers often exploit the sim­i­lar­i­ty of various letters to fool their victims. Known as ho­mo­graph­ic attacks, they can be difficult to detect in certain cir­cum­stances.

In simple cases, the attacker may use a URL or domain with letters which – when combined – look like another letter. Here’s a couple of examples:

• Email from “support@lacebook.com”: Instead of a lower-case “f” a small “l” is used.
• Link with des­ti­na­tion “https://secure.arnazon.com”: The com­bi­na­tion of the letters “rn” appears like the letter “m.” The “secure” subdomain and “https” divert the user’s attention and distract them from the spoofed domain.

The success of the deception is strongly de­ter­mined by the font used. If the email content suf­fi­cient­ly gets the recipient worked up, however, such a minor detail can often be over­looked.

Another form of ho­mo­graph­ic attack can be harder to uncover: the in­ter­na­tion­al­ized domain name (IDN). With this variant, the attacker sends a URL that contains letters from a different alphabet. If the letter is visually similar to a Latin letter, the illusion can be ef­fec­tive­ly deceptive. Attackers thereby exploit Punycode addresses. The trick here, for example, is the original URL may not contain a Latin “a”, but the Cyrillic version. Both letters are con­fus­ing­ly similar. Some browsers do not display non-Latin URLs as Punycode. The user therefore is unaware that they have opened a fraud­u­lent a website.

To prevent ho­mo­graph­ic attacks, you should ensure that your browser always displays domains with non-Latin letters as Punycode. Moreover, you should never click on security-relevant URLs – like your online banking homepage – but save them as bookmarks.

If you find yourself on a website of ques­tion­able au­then­tic­i­ty, take the following steps:

• Check whether the site was opened via HTTPS en­cryp­tion: Most modern websites support HTTPS en­cryp­tion. Nowadays, every webpage that obtains data from you – e.g. a password or a form – should always and only be loaded via HTTPS. If this isn’t the case, there is a height­ened risk that the website is a fake.
• Check the SSL cer­tifi­cate: If the website was loaded via HTTPS en­cryp­tion, you can view the SSL cer­tifi­cate of the server. Make sure that the cer­tifi­cate refers to the or­ga­ni­za­tion allegedly behind the website. If it doesn’t, you may have ended up on a falsified website.
• If your doubts seem sub­stan­ti­at­ed, close the browser window.

Digital access is a serious matter. Once con­fi­den­tial data is stolen, it can often be difficult to limit the damage. So, it’s better to be over­cau­tious than careless.

Besides the text of the actual message, an email contains meta in­for­ma­tion in the mail header. The header includes various fields like “From,” “To,” “Reply to,” etc. Using the right software, it’s easily possible to overwrite the contents of the header fields with any arbitrary values. If your boss’s email address appears in the “From” field, this doesn’t nec­es­sar­i­ly mean the email actually came from this person. An attacker can place their own address in the “Reply to” field. The victim will then believe they are replying to the pur­port­ed­ly le­git­i­mate “From” address, when they are actually writing to the “Reply to” address of the attacker.

On the user’s side, there is a range of security measures in the mail software that can help counter mail spoofing attacks. They all aim to detect, mark and filter out spoofed emails:

• Activate the spam filter: The spam filter of your mail program or email server applies heuris­tics to sort out po­ten­tial­ly fake emails. The process is com­plete­ly automatic and offers an essential degree of pro­tec­tion.
• Use content en­cryp­tion: Content en­cryp­tion ensures that the email comes from the sender indicated and that the message has not been altered. Un­for­tu­nate­ly, setting up the common pro­ce­dures PGP and S/MIME takes some effort. While effective, content en­cryp­tion is still rel­a­tive­ly under-utilized outside of certain pro­fes­sion­al groups. Al­ter­na­tive­ly, use end-to-end en­cryp­tion messenger ap­pli­ca­tions. They offer the same ad­van­tages in terms of security and can be used im­me­di­ate­ly.
• Show and inspect the mail header: Better suited to advanced users, it’s possible to display the complete mail header. This approach allows a thorough analysis. The actual origin of the email can be de­ter­mined with the right know-how.

Plus, there are multiple server-side tech­nolo­gies that aim to prevent the sending of spoofed emails. The most fre­quent­ly used server-side pro­tec­tions include SPF, DKIM and DMARC.

If you run your own email addresses on your server, you should make sure that at least SPF and DKIM are correctly con­fig­ured. Otherwise, your le­git­i­mate emails may end up caught in the addressee’s spam filter.

These spoofing attacks attempt to ma­nip­u­late com­mu­ni­ca­tion in networks. In this case, the “victim” is not a person, but a network, hardware or software. Since these attacks take place at the level of data packages, they are hardly no­tice­able to normal users.

The Domain Name System, shortened to DNS, is a globally dis­trib­uted system for trans­lat­ing internet domains into IP addresses. The DNS provides an IP address for a domain name. Already answered queries to the DNS are tem­porar­i­ly stored on the server in the DNS cache. With DNS spoofing, a malicious entry is placed in the DNS cache. Sub­se­quent requests then return a fake IP address for the ma­nip­u­lat­ed entry. Data trans­mis­sion is redi­rect­ed to another server. DNS spoofing is used by criminals to carry out phishing and man-in-the-middle attacks.

At the user level, you can protect yourself from DNS spoofing by using en­cryp­tion tech­nol­o­gy. Make sure that visited websites are HTTPS-encrypted. The use of a Virtual Private Network (VPN) can also provide pro­tec­tion from DNS spoofing in some instances.

If you run your own domain, you should consider using the pro­tec­tive tech­nol­o­gy Domain Name System Security Ex­ten­sions (DNSSEC). DNSSEC uses cryp­to­graph­ic au­then­ti­ca­tion to guarantee the integrity of DNS requests. DNS spoofing is thereby stopped for DNSSEC-protected domains.

MAC spoofing has nothing to do with a certain famous company from Cal­i­for­nia. Instead, the eponymous MAC address refers to the physical address of a network device. The MAC address is a unique number assigned once to any network device worldwide. Although every network device has a fixed address, it can be easily spoofed at the software level. The ability to spoof a MAC address is often exploited by users to cir­cum­vent re­stric­tions.

In local networks (LANs), the Address Res­o­lu­tion Protocol (ARP) is used to read out IP addresses belonging to MAC addresses from a table. ARP spoofing attacks seek to ma­nip­u­late these table entries in order to direct IP data traffic to a malicious MAC address. This allows an attacker to spy on and falsify data com­mu­ni­ca­tion. These attacks represent a serious threat to security.

IP spoofing involves sending TCP/IP or UDP/IP data packages with a fake sender address. In most cases, this type of attack is used as part of DoS and DDoS attacks.