Domain Spoofing: How It Works and What You Can Do to Avoid It
by Rick Kuwahara COO of Paubox
According to a recent study by the Center for Applied Internet Data Analysis (CAIDA), almost 30,000 spoofing attacks occurred each day from March 2015 to February 2017. Today, the number of attacks continues to exponentially increase across the world.
Companies and other organizations that fall victim to spoofing attacks can end up losing millions in revenue. The good news is many of these attacks are preventable with the correct system configuration, employee training, and high-quality cybersecurity tools.
Here are the different types of spoofing attacks to watch out for and the best ways to keep your organization protected from cybercriminals.
Most common types of spoofing attacks
Spoofing attacks are perpetrated in many different ways. The most common types that target organizations include IP, email, and domain or website spoofing attacks.
Understanding how each type of attack works can help your organization more easily combat them.
How IP spoofing attacks work
During an IP spoofing attack, a cybercriminal impersonates an IP address pretending to be another user. The attacker sends inbound packets from a fake source address to devices within a network, often operating as part of a DDoS (Direct Denial of Service) attack.
The use of multiple packet addresses overwhelms and shuts down the targeted device. These types of attacks can be detected with a network analyzer or bandwidth monitoring tool.
Monitoring normal traffic usage can assist you in recognizing illegitimate traffic so you can do a deeper investigation. It’s essential to catch IP spoofing attacks as soon as possible because as part of a DDoS attack they can take your network completely offline, disrupting normal business activities.
Another malicious IP spoofing method is a Man-in-the-Middle attack that interrupts communication between two computers, alters the packets, and transmits them without the original sender or recipient being aware of it.
Eventually, attackers can gather loads of personal information they can sell or use for other fraudulent purposes.
How email spoofing attacks work
Email spoofing is used in phishing attacks and spam campaigns to trick recipients into opening and/or replying to an attacker’s solicitation.
The email header is forged to make it appear that the message comes from someone the recipient trusts who is different from the actual source.
Usually, the purpose of email spoofing is to acquire personal information like passwords or credit card numbers and/or to commit identity theft.
A fake email might even pretend to be from a retail business offering a link with a limited-time deal, which when clicked, downloads and installs malware on the recipient’s device.
In the case of business email compromise (BEC) attacks, email spoofing is used to send emails appearing to be from the CEO or CFO of a company requesting fraudulent wire transfers be sent to a supplier, also known as display name spoofing.
How domain spoofing attacks work
Domain spoofing is a common type of phishing scam where an attacker uses a company’s domain to impersonate the business or its employees.
Attackers send emails with fake domain names that seem real and create websites with imperceptibly altered characters to trick visitors into thinking they’re being sent to the correct site.
Usually, a spoofed email or website will have the logos, branding, and visual design of the legitimate business. Visitors are then guided to enter their financial details or other sensitive information that the attacker intercepts.
In the ad tech industry, domain spoofing allows a low-quality publisher to perpetrate ad fraud by disguising themself as a premium publisher on an ad exchange.
Fraudsters substitute a fake URL through ad networks to trick advertisers into thinking their bidding on a premium site for their ad to be served on, when in fact the ad is served on a different lower-quality website.
Domain spoofing can also be accomplished in more complex ways with bots. These bots can spoof a site’s URL so that when an ad reads the URL from the browser it reports back the spoofed URL to the advertiser.
Malware can also inject ads inside the pages of premium sites without the operator noticing while the fraudster collects the revenue.
What you can do to avoid spoofing attacks
Keeping your anti-malware software updated and training employees to be wary of social engineering tactics can go a long way towards preventing spoofing attacks. In addition, there are anti-spoofing solutions you can put in place to help avoid the various types of attacks.
How to prevent IP spoofing attacks
Making sure that as many computing resources as possible are behind a firewall is a good place to start in avoiding IP spoofing.
Your IT team can also monitor your networks for atypical activity, deploy packet filtering to detect outgoing packets with source IP addresses that don’t match your organization’s, use a network attack blocker and verification methods even with networked computers, and authenticate all IP addresses.
Your employees can lessen the risk of endangering your brand safety and falling prey to spoofing by only visiting sites that use secure encryption protocols like HTTPS.
How to prevent domain spoofing attacks
Domain or website spoofing has doubled in the last year, resulting in $1.3 billion in losses according to the 2019 Thales Access Management Index. It also has long-lasting negative effects on an organization’s reputation, consumer trust, and revenue.
This type of spoofing attack is popular because it’s almost impossible to detect until it’s too late.
As part of a larger phishing campaign, domain spoofing works on all browsers and can’t be avoided simply by using secure connections. The attacker can modify website pages and form submissions without the user discovering anything is amiss.
While domain registration monitoring and training employees to spot spoofing early before data is stolen can help, there are more advanced methods currently being created to shift the burden of detection from the victim to the attacker.
At Columbia University’s Computer Science and IDS Lab, deception technology is being created that focuses on early detection while providing actionable data for organizations.
In this strategy, the attacker is flooded with decoy credentials and information that are embedded with tracking mechanisms triggered when the attacker opens them.
This sends important information on the attacker to the organization and makes it difficult for the attacker to figure out what information is real and what isn’t.
How to prevent email spoofing attacks
Attackers are able to spoof a sender’s email address because Simple Mail Transfer Protocol (SMTP) doesn’t provide address authentication. Also, mail servers that are badly configured are without any email security protection against cybercriminals.
Many email platforms available from large tech companies like Microsoft and Google offer good spam detection but using email address authentication protocols can ensure better protection for businesses against email spoofing.
Organizations can adopt email address authentication mechanisms that work together to provide protection against email spoofing, such as the Sender Policy Framework (SPF), Domain-based Message Authentication, Reporting and Conformance (DMARC), DomainKeys Identified Mail (DKIM), and the Sender ID Framework (SIDF).
Today, the majority of organizations will experience a domain or other form of spoofing attack.
It’s not a matter of “if” but “when” so it pays to have the right spoofing protection solutions in place.
Additional Reading: HIPAA Compliant Email: The Definitive Guide
With real-time advanced threat protection features like patent-pending ExecProtect, Paubox Suite Plus can prevent dangerous spoofing attacks from reaching your inbox.