Short Answer: What is spoofing?
Spoofing on the telephone is the act when a malicous caller submits falsified digital data, which disguises the callers phone and ID information. It is extremely difficult to fin out the spoofers real identity. Often Phishing or Banking Scams are facilitated by spoofing. By spoofing the number the malicous caller can appear to be from the local area, as they can use a local number by spoofing. Sometimes scammer even use numbers from companies or government agencies in order to gain trust from the victim. The purpose of spoofing is to extract valuable information from the victim or even money.
What is ‘spoofing’ in detail?
When a user makes purchases on the Internet or is active in social networks, he or she is forced to disclose personal data. Although the most diverse providers are obliged to set up suitable protective measures to ensure the security of personal data, they are not 100% protected against data misuse. This is shown, for example, by the latest news about a massive data theft from the Internet provider Yahoo.
While Internet users approve of the general practice of commercial providers of using consumer data for orders, market research and advertising, the criminal actions of fraudsters naturally are met with little approval. They work with handles and tricks to gain access to sensitive data and to loot credit cards and bank accounts. Spoofing methods are usually used in such attacks.
In this article, we will show you exactly what spoofing is and the various deception methods this technique provides.
Spoofing simply explained
In the IT world it is like in real life. If a friend or acquaintance is standing in front of the door, he is immediately asked to enter. A stranger, on the other hand, has to answer a host of questions before the door is opened to him. Applied to the Internet and network environment, this means that the fewer password requests and protection mechanisms are in use, the more the communication participants trust each other. If they do not use authentication and transmit the data packets of a communication unencrypted, spoofing is very easy.
The English terms are manipulation, concealment and pretence. Spoofing is therefore a collective term for all deception methods in computer networks that serve to conceal one’s own identity.
Originally, spoofing was merely a synonym for the forgery of IP packets that were populated with the sender addresses of other hosts. Today, spoofing includes all methods of bypassing authentication and identification procedures based on trusted addresses or host names in network protocols.
Spoofing gives victims the deceptive feeling that they are communicating with a reputable source. In order to get access to foreign access data, the perpetrators primarily use phishing or pharming. In phishing, for example, cyber criminals redirect their victims to websites that are a dead-ringer for financial institutions. If the victims then enter their PINs and TANs, the perpetrators strike. As a rule, the data theft ends with the debiting of a large amount of money from the victims’ accounts. However, it is not uncommon for the perpetrators to simply use Trojan horses to tap into the connection that the victims establish with their financial institutions and intercept the data.
Phishing and pharming do not differ in terms of their objectives. However, in phishing, cyber criminals use fake mails as bait to lure recipients with links to the phishing site. In contrast, the perpetrators use malware in pharming. This is installed directly on the victim’s computer and leads to a secret redirection to the phishing site when the web address is entered. If the address line remains unchanged, this is an indication of the Trojan’s quality.
Besides the Trojan, keyloggers are particularly popular as malware. It documents every stroke of the keyboard. If the victim enters the account number and PIN when banking online, the keylogger sends the data directly to the perpetrator.
The different types of spoofing
Spoofing has gained importance especially in the World Wide Web. Whereas in the past the term was used exclusively for an attacker’s attempt to fake the IP packets of a communication (IP spoofing), today it is mainly used in connection with phishing (DNS spoofing). However, the term spoofing can be divided into several other types, which we will discuss in more detail below.
This type of spoofing is technically demanding and requires in-depth knowledge of the TCP/IP protocol family. The so-called man-in-the-middle attack is made possible by a system-related weakness of TCP/IP. In essence, IP spoofing amounts to the sending of IP packets with a fake source IP address. The perpetrator tricks the attacked computer into believing that it is receiving data packets from a trusted computer. At the same time, the perpetrator himself remains undetected.
In principle, any IP packet can be manipulated at will. The recipient of a data packet has no way of continuously checking the authenticity of the sender. The core of the problem is the sequence number of the TCP packet. If the attacker switches between sender and recipient, he is able to predict the next sequence numbers and push the sender onto the sidelines. The recipient’s cluelessness about this session hijacking is due to the fact that the sender and recipient only introduce themselves at the beginning of their communication. Afterwards, they tacitly assume that nothing changes in the authenticity of the participants. In this respect, it is only a small consolation to know that IP spoofing is only successful if the system has additional security holes.
In non-blind spoofing, the victim and the perpetrator are on the same subnet. This has the advantage that the IP packets from this subnet always pass through the attacker and the attacker simply has to grab them. In blind spoofing, however, the attacker is located outside the victim’s subnet. This spoofing involves much more work and is therefore hardly ever used. In any case, the attacker would have to send packets to the victim in order to obtain sequence numbers from the acknowledgements of receipt that would allow conclusions to be drawn about the next sequence numbers.
IP spoofing is an effective means of making the attacking computers work undetected, especially in large-scale denial-of-service attacks such as SYN floods. For example, a malicious client can establish a TCP connection to a server by sending it a SYN message (synchronize) using an incorrect source IP address. The server responds and expects an ACK message (acknowledge) from the client to complete the so-called three-way handshake and establish a connection. The client embezzles the ACK message and bombs the server with SYN messages instead. All these half-open connections cost resources. When the server’s resources are finally used up, no more connections can be established to the server and the server is no longer available.
More about IP spoofing
DNS spoofing is an IT security attack on the Domain Name System. The aim of the falsification of domain names and associated IP addresses is to redirect traffic unnoticed to another computer in order to launch a phishing, pharming or denial of service attack.
Each individual DNS server is exclusively responsible for a subset of the Domain Name System. If it receives a query from a DNS participant that does not fall within its area of responsibility, it forwards the query to the next DNS server. This forwarding is not absolutely necessary, however, since the answers of other servers to queries are stored locally in a cache and can therefore be sent immediately.
The DNS participant accepts the answer without checking it and often receives additional data (glue records) in addition to the actual answer, which is also stored in the cache. This additional data is ideal for cache poisoning and DNS spoofing. The attacker infiltrates it with fake resource records.
This spoofing is another variant of the man-in-the-middle attack. ARP spoofing is the epitome of sending spoofed ARP packets and is used to modify the ARP tables in a network in order to eavesdrop, manipulate, or block communication between hosts. In particular, it is conceivable to bring IP telephony into the focus of monitoring.
The principle of operation is quickly explained. This spoofing begins when Host A receives a manipulated ARP message from the attacker. The attacker is interested in the data traffic between Host A and Host B, which is why he packs his own MAC address into the message instead of Host B’s. This means that the packets intended for Host B go directly from A to the attacker. The same fate befalls host B, which is why host B unknowingly sends the packets intended for A to the attacker. All the attacker has to do is forward the corresponding data packets to host A and host B. As a proxy, he finally has the power to influence the communication of the hosts as he sees fit. Spoofing of this kind is suitable as a pure interception measure of network traffic even in switched networks and differs in this respect from the sniffer, which is only used to make state in unswitched networks.
With ARP spoofing, the Ethernet packet contains a corrupted source MAC address
Spoofing is possible in three ways here. It is conceivable, for example, that a fake reference is imputed to the user by means of special constructions in the source code of a website. If the user unsuspectingly clicks on the link, he or she will, if the browser is playing along, end up on a page with which the user has absolutely nothing to do.
This spoofing then offers the possibility of circumventing security precautions such as entering a password. In the case of vulnerable pages, entering a fake address is sufficient to render the password protection ineffective and to gain access to adult content.
If a browser is basically susceptible to spoofing of this kind, the redirection of the user to a completely uninteresting website is also possible by faking the address line of the browser. In this case, the user is guided to the fake page without being able to see it from the displayed Internet address. This simply requires certain data which is attached to the correct Internet address, does not appear in the address bar of the browser and thus deceptively leads to the call of the fake website.
Usually spammers make use of this type of spoofing. They use a foreign e-mail address to hide their true identity. This requires a mail server of their own. The only alternative is to abuse a foreign mail server.
Although spammers are annoying, they are harmless in terms of financial fraudsters. Anyone who flirts with spoofing for the big rip-off is of course out of his league. An inexperienced employee of the finance department of a company regularly proves to be ideal for collecting money. In an e-mail, he or she is asked to transfer a considerable amount of money to the specified account as quickly as possible. It is almost hopeless to see through the fraud. Nothing arouses suspicion in the financial employee. The e-mail address is correct, the wording of the instruction is in company jargon and the request for payment seems to have been issued by the supervisor, the company’s lawyer or the employee of a trustworthy business partner. Once the amount has been transferred, it is irrevocably lost. Very few employees come up with the idea of settling the matter with a simple control call, if this is unusual as a general business practice.
Call ID spoofing in detail
A fairly new type in spoofing is the telephone rip-off. In so-called Call-ID-Spoofing, phone numbers are displayed that are identical with those of the police, authorities or courts. Therefore, a reverse search, which is usually used to find registered subscribers by entering their telephone number, is not effective. This enables the fraudsters to dispel any doubts the victims may have and to persuade them to hand over personal data or transfer money.
A remedy against this spoofing would easily be possible if the victims did not trust the number and did not disclose confidential information, if they spoke out against the installation of remote maintenance software on the PC and, above all, if they did not comply with requests for payment.
But spoofing can do much more. It is easy to steal luxury yachts or take control of drones with GPS spoofing.
Students of the University of Texas already proved the former impressively years ago. The increasing dependence of shipping on the global positioning system GPS in combination with the largely automatic steering of ships has its pitfalls. In June 2013, said students managed to have false signals from their GPS transmitter gradually superimposed on the GPS signals of a 65-meter super yacht, causing the yacht to drift off course unnoticed.
As far as drones are concerned, spoofing does not yet have all the trumps up its sleeve, since only the more expensive models can receive GPS signals. However, if these models carry out missions autonomously, spoofing is an effective means of taking over the drones. All that is needed is a radio transmitter that simulates GPS satellite signals to the drones.
Conclusion: Types of Spoofing
Spoofing is used by cybercriminals in a wide variety of attack methods and is mainly intended to disguise the original origin of the attack or to mislead the user. There are many different types of spoofing and as an Internet user you should protect yourself sufficiently from them. On the internet you can find a collection of helpful practical tips for protection against spoofing. The best thing to do is to inform yourself comprehensively about the topic and follow the practical tips for protection against spoofing.
How to tell if a phone number is spoofed?
Always try to listen when on the phone if you can hear any background noises or a cracking. If you hear someone breathing you can be sure that someone tapped your phone line.
Always check the Caller ID. You can check if the caller ID and the number calling is matching. If not then you can be sure that you have been spoofed.
Pay attention to strange behaviour of the caller if you have any suspicion. Especially if the caller is asking for sensitive or financial personal information. Never give up your credit card number or social security number.