What Is a Spoofing Attack?

Jul 09, 2019

What Is a Spoofing Attack?

BY Tobias Geisler Mesevage

Let's Get Technical

The act of spoofing is a scheme that tricks humans and networks into believing that a source of information is trustworthy when, in actuality, it is not. During a spoofing attack, a criminal will pose as a known and trusted source so they can mine for personal information and eventually wreak havoc on a business.

In this article, we’ll describe how a successful spoofing attack can lead to:

  • Infected computer systems and networks
  • Denial-of-service attacks
  • Data breaches
  • Lost revenue

Spoofing can also enable criminals to bypass network access controls, which can lead to more significant cyber attacks like an advanced persistent threat or a man-in-the-middle attack.

Who is most targeted for spoofing attacks?

Small and medium-sized businesses (SMBs) are the most targeted for all cyber attacks ⁠— including spoofing ⁠— making up 58 percent of all cybercrime victims, according to Verizon’s 2018 Data Breach Report.

Furthermore, research conducted by IT Security company, TrendMicro, suggests the most highly targeted victims of spoofing within SMBs are:

  • CEOs
  • Managing directors
  • CFOs
  • Finance directors

One of the highest profile CEO spoofing attacks happened against European manufacturer Leoni AG in 2016 when thieves crafted emails to replicate Leoni’s internal procedures for approving and transferring funds. The malicious emails looked like official payment requests, which the CEO approved, costing the organization roughly $44.6 million.

How is spoofing carried out?

Spoofing attacks come in many forms, but the most common attacks are:

  • Email spoofing: By using corporate logos, or other specific graphics, criminals can disguise emails to make it look like they’ve come from a trusted source. Much like the Leoni example above, spoofed emails show fake contact details and will request information illegitimately.
  • Address Resolution Protocol (ARP) spoofing: This type of attack occurs when a criminal sends falsified ARP messages over a local area network. The attacker's end goal with an ARP attack is to connect their Media Access Control (MAC) address with the Internet Protocol (IP) address of someone employed at their targeted business. Once the criminal has access to the IP address, they have free rein to intercept data between the computer and the router.
  • IP spoofing: This attack is implemented when a criminal sends a digital message through a manipulated source IP address to make it look like the message came from a trusted source. By impersonating the IP address, the attacker can initiate a denial-of-service and overwhelm a device by sending too many packets. When a denial-of-service attack occurs, a machine or network is completely shut down, creating a damaging amount of business downtime and lost productivity for an organization.
  • Domain Name System (DNS) spoofing: Criminals can modify a DNS server to reroute a specific domain name to a different IP address. The end result of a DNS spoofing attack is usually the spread of viruses into networks which will have a negative impact on business continuity.

How can you recognize a spoofing attack?

Email spoofing: When it comes to preventing email spoofing, it’s always best to be skeptical of emails. Look for common red flags, for instance, if an email asks for sensitive information, such as usernames or passwords, or if the sender's email address doesn’t match the details of a legitimate source.

APR spoofing: To detect an ARP spoof, open your command bar and enter arp-a. The result will be an ARP table for your device. Search the results to see if any IP addresses have the same MAC address. If more than one IP address matches a single MAC address, it may indicate there is an intruder in your network.

IP spoofing: Because IP spoofing leads to a denial-of-service attack, it’s critical to watch the flow of traffic on your network. Use tools like a network analyzer or bandwidth monitoring tool to see if there are any anomalies in your traffic, such as high volumes of packets being transferred. If something looks awry, investigate the situation further.

DNS spoofing: Using a tool like DNS traceroute will allow you to see where the DNS request has been answered. If a request has been replied to from a suspicious location, it’s critical to continue to investigate.

How can SMBs stay vigilant?

According to cybersecurity company BitSight, 54.8 percent of U.S. companies have poor SPF (Sender Policy Framework), and 66.4 percent have poor DKIM (DomainKeys Identified Mail) practices. Without secure SPF, DKIM, and Domain Message Authentication Reporting and Conformance (DMARC) procedures, which block spoofing emails, the odds of a spoofing incident initiating within your organization via email increases significantly.

Furthermore, it’s critical for organizations to implement and update company cybersecurity policies regularly. Comprehensive policies should include measures to detect and respond to spoofing attacks, as well as a backup disaster and recovery plan should an attack get through to your SMB.