In the spring of 2024, the FBI warned U.S citizens of a spear phishing campaign by state-sponsored North Korean threat actors.
By exploiting an improperly configured email security protocol known as domain-based message authentication, reporting, and conformance (DMARC), the North Korean hackers bypassed safeguards that, when properly enabled and enforced, help protect email domains from unauthorized use, allowing them to send spoofed emails over a months-long period posing as and also targeting experts in academia, research, think tanks, and journalism before being detected. As a precursor to social engineering and other types of attacks, threat actors regularly rely on identity-concealing spoofing techniques to advance the objectives of their attacks, be it credential theft, the installation and deployment of malware, data exfiltration, or even as shown in this example, cyber espionage.
What is a Spoofing Attack?
A spoofing attack is a type of cyber attack where a threat actor disguises their identity when contacting a potential victim, so the contact appears legitimate. Spoofing is utilized by threat actors to establish a known or trusted identity with a target, and depending on an attack’s objectives, to subsequently gain access to information, launch malware, steal data, or another malicious act. Spoofing attacks can be conducted using a large number of mediums, protocols, and systems, which we’ll cover more below.
How a Spoofing Attack Works
A variety of methods can be used as part of spoofing attacks, including spoofed emails that appear to be from a trusted source or text messages that claims to be from a known contact or organization, such as an IT help desk employee or a financial institution. If a target trusts the message, the threat actor is one step closer to advancing their attack and extracting what they desire: funds, access, data, and other valuable information.
The stages of a spoofing attack are:
1. A threat actor gains a way to communicate with the potential victim, be it through email, over the phone, through the spoofing of a frequented web page, or another means.
2. The threat actor crafts their spoofed communication, with the intention of gaining trust of the potential victim – whether that be human or a technical component of an environment.
3. If the victim falls for the spoof, the threat actor is able to advance their attack through social engineering like phishing or other means.
Like other forms of cyber attacks, spoofing attacks can be simple or sophisticated. The spam email claiming to be your bank is just as much a spoofing attack as the personalized text message from “IT” asking about a specific login to a known application.
Types of Spoofing Attacks
There are many types of spoofing attacks a threat actor can deploy, and often, these attacks are used in tandem to build trust or to gain further information from the target. As noted below, some spoofing attacks are more simplistic in nature, while others are highly technical and may be more difficult to detect.
1. Caller ID spoofing. Caller ID spoofing frequently relies on Voice over Internet Protocol (VoIP) technology or web-based spoofing platforms to intentionally falsify the phone number that is relayed to the target’s caller ID to make it appear that the call is coming from a different number. Bad actors will commonly use phone numbers associated with a specific person or entity, or a specific area code or geographical location to help increase the likelihood of a target answering. Emails sent via spoofed email addresses may be used in conjunction with voice calls to help add credibility to the scam.
2. Text message or SMS spoofing. This tactic involves a threat actor texting a target using a manipulated phone number designed to mimic a number that is legitimate or otherwise familiar to the target. The perceived legitimacy or familiarity of the number, and the caller or entity it is associated with, is a means to get the target to click a link, provide information, or take another action to advance an attack.
3. Domain spoofing. While domain spoofing and website spoofing (below) are sometimes used interchangeably, domain spoofing involves creating a domain name that by design, resembles another commonly used and trusted domain. This can be accomplished by using letters or characters to mimic those used in the domain that is being copied. One example of this would be using two ‘v’s in place of a ‘w.’ The spoofed domain can then be used to create email addresses and websites that can be used as part of an attack.
4. Website spoofing. Website spoofing occurs when a threat actor creates a website that appears legitimate, with the purpose of advancing an attack by tricking a user into entering information or providing valuable data. Website spoofing is frequently used as part of phishing or smishing attacks, where the link provided directs targets to a forged website designed to steal login credentials or get users to download malicious code.
5. Email spoofing. In email spoofing attacks, the email header, which includes the sender’s name, address, and other fields, is forged with fraudulent information – enabling bad actors to mask their true identities and impersonate legitimate senders. Email spoofing attacks are possible because simple mail transfer protocol (SMTP), the protocol used in sending and receiving e-mail, was built without security when it was originally created. Spoofed emails take advantage of this missing security layer to manipulate email systems so that the fraudulent sender information appears in the recipient’s inbox. This type of spoofing is often used in phishing attacks and can be highly tailored to target specific individuals as part of spear phishing attacks.
6. IP address spoofing. With IP spoofing, the threat actor uses IP packets to alter the source of an IP address, making it look like the traffic is coming from a trusted source. A more technical form of spoofing, this type of spoof attack seeks to avoid detection by IP monitoring software by hiding its source, enabling the attacker to bypass IP address-based security measures or impersonate a device. Because IP address spoofing masks an attacker’s identity, it is a technique that is frequently used in man-in-the-middle (MitM) attacks and DDoS attacks.
7. Address resolution protocol (ARP) spoofing. Also common in man-in-the-middle (MitM) attacks, ARP spoofing occurs when a threat actor tricks a device into sending data to them instead of the intended device or user. ARP spoofing occurs only on a local area network (LAN). If a threat actor has network access, deploying this technical attack can allow them to gain credentials, data, and other desired information to further their attack or achieve financial gain.
8. Domain name server (DNS) spoofing. Also called cache poisoning, this attack involves a threat actor spoofing a domain name by manipulating DNS cache, subsequently sending the user to their falsified website instead of to the intended domain. DNS spoofing can be used to facilitate phishing attacks where a user enters login credentials and other sensitive information on the falsified site.
9. GPS spoofing. This attack, often used to steer individuals or shipments off course, involves the threat actor transmitting a false radio signal to an antenna, hoping to counteract or override the current GPS signal. While this kind of spoofing may often be isolated to conflict zones or during piracy attempts, it can have serious consequences. A version of this spoof has been used repeatedly against commercial aircraft in recent years.
The Connection Between Phishing and Spoofing Attacks
If spoofing attacks sound a lot like phishing, it’s because the two are closely related, with both using deception to exploit victims’ trust, however there are key differences between the two.
Spoofing is generally more technical, focusing on impersonating legitimate sources by forging identity data and protocols. Phishing, on the other hand, goes beyond using a fraudulent identity and focuses on tricking recipients into divulging personal information or completing an action.
Because spoofing attacks are designed to quickly establish trust by impersonating a known contact or entity, spoofing serves as an effective precursor for advancing social engineering attack. That is why spoofing is commonly used in tandem with phishing campaigns.
How to Prevent Spoofing Attacks
Because spoofing takes on multiple forms, organizations need a well-rounded approach to stopping these attacks. From the human-focused to the more technical, there are many steps an organization can take to both prevent these attacks and detect and respond to them in the early stages.
1. Employ frequent, timely security awareness training. Spoofing attacks target users, with bad actors hoping their targets believe they are interacting with a legitimate source, so humans need to be on the defensive against these attacks. By employing security awareness training that educates users on how these attacks work, trains them to spot them in the wild (such as always double-checking the URL or verifying the sender of a suspicious message), and tests their knowledge with phishing simulations, organizations can reduce their overall human risk and stop these attacks before they begin.
2. Implement multi-factor authentication (MFA) and other access controls across your network. If a user falls for a spoofing attack and goes on to hand over credentials to a threat actor as the attack advances, MFA and other access controls can serve as a fail-safe, stopping the attack in its tracks while alerting the organization that something suspicious is occurring. By preventing lateral movement , the organization can stop an attack from escalating while giving security teams time to investigate and respond.
3. Utilize email security tools. Having proper email security in place goes a long way in neutralizing email spoofing and phishing attacks. From simple organization-wide spam filters to more sophisticated solutions that can spot malicious links or messages and flag impersonations, there are tools available to help organizations increase their email security.
4. Enable a firewall and network security measures. These two defenses work in tandem to both prevent a threat actor from accessing a network, and prevent them from launching ARP spoofing attacks, MitM attacks, or even making lateral movement in the aftermath of a spoofing attack. Network security is paramount for preventing a multitude of sophisticated attacks, all of which could originate with access granted during a spoofing attack.
5. Invest in monitoring, detection, and response security solutions. In today’s evolving threat landscape, it’s impossible to expect an organization to stop every possible threat before it escalates or even reaches their environment. Cybersecurity is a team sport, and by working with a security solution that has eyes-on-glass 24×7, organizations are reducing their overall risk, knowing that if a spoofing attack is attempted, or even successful, their security teams will be alerted and ready to respond, fast.
Explore the threat landscape in detail, and how an operations-approach can reduce cyber risk with the 2024 Arctic Wolf Security Operations Report.
Better understand what human risk may lie in your organization and how you can build a culture of security with our Human Risk Behavior Snapshot.
