Types of spoofing and types of spoofers, methods of detection and prevention of spoofing attacks

Ruslan Rakhmetov, Security Vision

Many cyberattacks are carried out through deception , both through social engineering and through technical means that allow attackers to impersonate someone else. In the context of cybersecurity, the term " spoofing" is often used - it is a technical method of deception or impersonation, in which a "spoofer" (a program or device) credibly impersonates another person or entity in order to carry out an attack. Cybercriminals use spoofing to fake an identity (message sender, account) or entity (device, website), which allows them to pretend to be a legitimate source of information, an authentic website, a colleague in order to gain unauthorized access, steal money and data, and distribute malware. In this article, we will talk about the types of spoofing, types of spoofers, as well as methods for detecting and preventing spoofing attacks.

The use of social engineering methods involves influencing human psychology. However, to increase the effectiveness of the attack, attackers use a combination of technical and psychological methods. For example, to be more convincing, a fraudster calling on the phone will not only introduce himself as a bank employee, but will also use the "Caller ID spoofing" attack - and the victim's phone will display the phone number of a real bank when there is an incoming call. In another case, for successful phishing, not only will a competent text of the appeal to the victim be composed, but the sender's address of the letter will also be forged - an "Email" attack will be carried out. spoofing " ( email forgery ). However, spoofing not only makes social engineering attacks more effective, but is also dangerous in itself - software and hardware spoofers can be used to organize DDoS attacks, intercept network data, obscure investigators' tracks, and even affect cyber-physical systems and devices.

Spoofing can be implemented at different levels of abstraction:

1. Image and voice spoofing.

Deepfakes are created by spoofing biological characteristics of a person - voice, speech patterns, facial images, body movements. Attackers fake them, and neural networks are used as spoofers, which are trained on voice samples, photos and videos of the impersonated person. To detect fakes, modern companies use technologies to verify that a real person is using the service. For example, a banking application may ask a user-client to blink or shake their head in front of a smartphone camera.

2. Spoofing file extensions.

Extension attacks Spoofing can be accomplished by using the special character U+202E (RTLO, Right-to-Left Override — changing the text reading direction to "right to left"): for example, the executable file " ob_usp <u202e> txt [.] exe" will be displayed to the user as a text file "ob_uspexe [.] txt", while the icon of such an executable file can also be easily replaced with an icon of a text document.

3. Spoofing the parent process PID and process arguments.

When responding to cyber incidents, information security specialists pay special attention to the hierarchy of related processes, so attackers use techniques spoofing the parent process PID to complicate the analysis. In addition, to obscure their tracks, attackers can also use the technique spoofing the arguments (parameters) with which a particular process was launched in the OS.

4. Spoofing email.

The email exchange system was originally created without taking into account the possibility of message forgery, so there are still uncertainties in the syntax of email headers and in the logic of their verification, as we already discussed in the article on phishing. Until very recently, various open mail relays were available on the Internet ( Open mail relay ), which essentially acted as spoofers — they allowed sending email messages with an arbitrary set of headers through them, pretending to be any sender. In addition, email spoofing can also be based on the simplest methods, when the sender's address is only visually similar to the impersonated account. To do this, attackers register domains that are similar in spelling to the real ones.

5. Spoofing domains and URLs.

Attackers can implement attacks related to website names and specific URLs that they try to lure users to. Domain spoofing can be carried out in a "Typosquatting "attack, in which attackers count on a certain percentage of Internet users making a typo when entering a domain in the browser address bar and getting to a malicious site. The attack is carried out by registering a domain that is similar in spelling to a legitimate web resource, with the subsequent placement of malicious content on it (for example, a phishing form for entering credentials supposedly for a corporate mail server). URL spoofing attacks can be carried out using the " Open redirect " ("open redirect"), which exploits a vulnerability in a legitimate website to redirect users to a malicious site. Attackers can also exploit the visual similarity of characters from different alphabets and how they are displayed in different browsers to perform spoofing attacks using Punycode and IDN homographs. There are utilities that can identify domains that can potentially be used for Domain attacks spoofing or website spoofing , for example dnstwist, openSquat,  DNSrazzle.

6. DNS spoofing.

DNS spoofing (or DNS cache poisoning is an attack based on the lack of authentication of information transmitted via the DNS protocol and the use of the UDP protocol for DNS requests/responses. As a result, the attacker can transmit to the caching (local, recursive) DNS server fake data on the mapping of the DNS name of the requested site to the IP address of the server, which is controlled by the attacker and on which the MitM attack is carried out. For example, malicious scripts are injected, credentials are stolen, and false information is displayed. Protection against such attacks will be the use of DNS- over -HTTPS (DoH), DNS- over -TLS (DoT), DNS- over -QUIC (DoQ), DNSSEC, DNSCrypt technologies.

7. DHCP spoofing.

DHCP Spoofing — is an attack on the DHCP protocol, in which an attacker introduces a spoofed DHCP server into a corporate network, disables the legitimate DHCP server by flooding with fake requests (using the DHCP Starvation technique ), and then, on behalf of the "new" DHCP server, begins to report false information to DHCP clients (a fake DNS server IP address, a fake default gateway IP address) to implement further MitM attacks. Protection against attacks of this type will be the use of DHCP Snooping technology, which allows the passage of service DHCP messages (DHCPOFFER and DHCPACK) only through a specific switch port.

8. IP address spoofing (when using TCP protocol).

When using the TCP protocol, spoofing an IP address by an attacker is advisable if he has access to the network segment where the client and the attacked server are located, the network traffic is not encrypted, and after the initial authentication of the client, only the IP address and the 32-bit TCP SEQ counter, the value of which can be intercepted, are used to verify the authenticity of the connection. Using an ARP cache poisoning attack, the attacker will be able to redirect traffic within the subnet from the attacked server to himself, then spoofing the IP address of the real client, who has already been authenticated (entered the login and password on the server). If the attacker does not have access to the network segment, he can try to use the outdated Source technology Routing (source-based routing). In it, the sender of data (the attacker, spoofing the client's IP address) specifies the route that the response IP packet should take, so it becomes possible to specify the attacker's device to receive responses from the server. In addition, modern DPI solutions can use the spoofed TCP reset technique to block traffic — DPI solutions send a "TCP Reset " packet to the client, supposedly on behalf of the site they requested.

9. IP address spoofing (when using the UDP protocol).

When using the UDP protocol, the data sender may not receive a response, which allows attackers to spoof the IP address of the UDP datagram sender . UDP features allow powerful DDoS attacks of the UDP Amplification type (literally "UDP amplification") to be performed, in which a small number of malicious devices, using spoofing of the victim's IP address, can create a huge number of false requests to various Internet servers - and the responses to them will be sent to the victim's IP address. Thus, various network protocols (DNS, NTP, SSDP, TFTP and others) using UDP transport allow attackers to increase the power of DDoS several times, since the specification of these protocols provides for multiple repetition of the response, which is sent to the victim's IP address.

10. ARP spoofing.

Spoofing Attack (ARP Cache) Poisoning) can be used to organize DoS within a subnet, as well as to intercept and replace user traffic. ARP spoofing — this is the first step to a more serious Man-In-The-Middle attack , which could, for example, involve SMB Relay or NTLM Relay attacks or attempt to gain access to HTTPS traffic. We have previously discussed the ARP spoofing attack in detail.

11. MAC address spoofing.

Many modern operating systems allow users to change the MAC addresses of network cards, as well as automatically generate random MAC addresses when accessing WiFi (MAC address technology MAC address spoofing is used to enhance user privacy by preventing WiFi access points from tracking the connection history of the same device.

12. GNSS spoofing.

GNSS system (Global Navigation Satellite System, global satellite navigation system), including GPS, GLONASS, BeiDou, Galileo, are susceptible to spoofing, i.e. signal forgery. They do not have mechanisms to verify the authenticity of received messages. As a result, attackers can perform GNSS Spoofing using equipment simulating a GNSS satellite and transmit inaccurate or intentionally distorted data to receiving devices, including fake coordinates and incorrect time. As a result, some cyber-physical systems may not function correctly. For example, autonomous vehicles will not be able to continue moving, and systems using precise time signals from satellites will not be able to perform operations correctly.

13. Spoofing of air and sea navigation and identification systems.

In aviation, ADS - B ( Automatic dependent surveillance - broadcast , automatic dependent surveillance-broadcast), which allows aircraft to transmit their ICAO ID (a unique 24-bit aircraft identifier in the International Civil Aviation Organization system), information about their location, course, altitude, speed, and also to receive some information (for example, weather data). The ADS - B system does not include mechanisms for verifying the authenticity and encryption of transmitted and received information, which allows attackers to forge information and transmit incorrect data about the state of the aircraft to ground services.

In shipping, the AIS (Automatic Identification System (automatic identification system) through which water transport objects transmit their MMSI identifiers (Maritime Mobile Service Identity, identification number of the maritime mobile service), information about their type, dimensions, location, course, speed. The AIS system does not include mechanisms for checking the authenticity of messages sent, so the transmitted data can be accidentally or intentionally falsified by the ship's crew.

14. Spoofing in telephone systems.

Telephone communication systems allow the subscriber ID (caller or SMS sender) to be substituted. This makes possible attacks such as "Caller ID spoofing" and "Smishing" (SMS phishing, phishing via SMS), in which attackers send phishing messages via SMS by being able to spoof the sender's number. For example, special services and marketing systems allow you to specify any combination of letters and numbers in the sender or caller field, which makes it possible to specify any caller's number or imitate a message from a bank.

15. Spoofing hardware identifiers.

The use of utilities such as "HWID Spoofer" ("hardware identifier spoofer") allows you to forge the identifiers of the device's hardware (usually the motherboard, video card, hard drive) in order to deceive various tracking systems. For example, in computer games or in analytical systems that use the browser's Fingerprint .