These Counter Spoofing Measures Will Keep You Safe
From cybercriminals who hope to trick you
What is spoofing
Spoofing is to cybersecurity what camouflage is to bugs and animals. It is a method for malicious hackers to disguise their fraudulent operation and make it seem genuine, and true.
For instance, you’ll get a strange email that appears to come from your boss, but the attacker has spoofed the email address, so that it genuinely looks as if your boss is the one who sent it.
Caller ID spoofing is another popular scamming method where the attacker disguises his real phone number under a fake one.
Other times, the attack can be more technical. By spoofing a device’s IP, an attacker gains access to a server or network that authenticates based on IP, and not accounts and passwords.
How cybercriminals spoof email, and how to spot them
During an email spoofing attack, the malicious hacker disguises the “From” field so it displays a fake email address and sender name. This reinforces the belief in the receiver that the email must be genuine, even if its contents are strange and out of the ordinary.
The reason they’ll do this is because email is very big (criminal) business. Phishing messages have a sky high open rate, often times is even higher than legitimate ones.
But phishing and spam isn’t the only threat. In the past few years, a new high level scam has taken root. Called Business Email Compromise (BEC for short) or whaling, this type of scam targets high level execs that control company budgets and can move money around.
Basically, the attacker pretends to be a work colleague, or even the target’s boss, and asks that a payment be conducted at a certain account. If target is in the habit of making such payments, and sees the spoofed email sender address, he will probably comply.
To give you an idea of how successful these scams are, a Lithuanian malicious hacker once managed to extract $200 million from Google and Facebook.
How malicious hackers can spoof an email address
Email spoofing is possible because of limitations in SMTP (Simple Mail Transfer Protocol), a technology responsible for allowing emails to be sent from one person to another.
SMTPs limitation is that it doesn’t verify if the email address in the “From” field is genuine.
Normally, even your computer could act as an SMTP server and send spoofed emails. However, ISPs have caught on to this tactic, so they block port 25, which is the one responsible for sending emails. But there’s an easy way around this.
If a malicious hacker wants to spoof an email, all he has to do is to use any one of the free online SMTP server services, write up the email, and then type in his desired email address in the “From” field and then click send. Or, he might use a dedicated email spoofer program.
It doesn’t matter if he doesn’t actually own the email address since the SMTP server won’t bother verifying it.
However, if the person who received the email replied, then the reply would go in the inbox of the real owner of the address, not the malicious hacker. That doesn’t matter much to the spoofer, as long as you click the link or do the action requested in the initial email.
How to spot spoofed emails as a user
1. Check the sender’s name and address
This won’t help every time. But will at least weed out malicious hackers that use similar email addresses to the one they attempt to impersonate. For instance, they might use email@example.com or even stranger derivations.
2. Gmail users can look at send-by, signed-by and encryption fields
Gmail offers a useful and easy to use feature that lets you see if the email is genuine or not.
All you have to do is to open up the email, and then click on the dropdown arrow underneath the sender’s name.
Next, look at the mailed-by and signed-by fields. If they are present, then there’s a high chance the email is genuine.
If there’s a mailed-by field, then it means the email was secured using SPF, if there’s a signed-by field, then the email was signed by DKIM. We’ll do a really quick overview of DKIM and SPF a bit later on.
Most banks and major companies will go to great length to ensure their infrastructure is safe, so they will have these verification methods in place to counteract spoofing.
3. Here’s how to check for SPF and DKIM in Yahoo
Yahoo also offers an easy (if not as clean and elegant as Google) to check if an email is legit, and coming from the real source.
First, enter the email that interests you, and then click on the “Actions” button, represented by the 3 dots. Next, click on “View Raw Message”.
Next, you will be taken to a different page that has lots and lots of writing in notepad font. If you can’t find them easily, we suggest you press the search button and look for the following mentions:
If both these are a “pass”, then the email is legit.
4. If the request seems strange, send a reply asking for confirmation
This takes advantage of the fact that replies of spoofed emails are sent to real owner, not the spoofer. Mind you, the email has to be identical to the real one.
For example, the malicious hacker impersonates the email of your good friend Andrew Bob: firstname.lastname@example.org. He sends you an email asking for a $50,000 loan. You know from past experiences that’s actually his real email, so you send him a reply asking if the request is real. This reply goes into Andrew Bob’s inbox and not the spoofers.
If he replies and says yes, you’ll have to think if Andrew Bob can ever hope to repay you $50,000 dollars, or if his account got hacked.
If he says he never requested $50,000 dollars from you, then it’s highly likely someone spoofed his email account.
However, if the email address is email@example.com (notice the 0 in “company”), then your reply will land in the malicious hacker’s inbox.
For this reason, it’s extremely important to check if the email address is genuine or not.
5. Don’t fully trust the “From” field
Simply being aware that it’s possible for someone to fake an email address should be enough to make you suspicious of strange emails coming from friends, relatives or work colleagues.
How to prevent email spoofing as a website owner or admin
Having someone else spoof your company’s email address is bad for business, either because of losses or brand damage.
Fortunately, there are a few measures you can take to prevent this threat, even for smaller sites belonging to bloggers or SMB’s.
1. Implement SPF
Short for Sender Policy Framework, SPF checks if the email sender’s domain name (the @gmail.com part) comes from a designated set of servers and IP’s that can send emails from that domain.
The SPF will first check the email domain, and after that the IP of the device that sent it. If the sending device wasn’t authorized, then the email failed the SPF check, marking it as “fake”. The email client of the receiver will then read this “fake” marking, and either blocks the email, or sends it into the spam folder.
However, if the receiver hasn’t properly set up his email client, he will miss the “fake” sign, and allow the message to go through.
Here’s how you can set up an SPF record for a domain.
2. Setup Domain Keys Identified Mail
This security method will signature stamp emails coming out of your domain with a public-key published in the DNS.
This signature acts as a seal of proof that the details in the “From” section are legitimate and haven’t been tampered with.
Unfortunately, DKIM has its weaknesses as well. For instance, a malicious attacker can use only the signed part of the email (the “From” section), and then attach malicious content to the unsigned part of the email. He then sends it over to the target. This is basically a classic replay attack.
Here’s how you can implement DKIM on a wide variety of the most popular domain providers out there.
3. DMARC, a combination of SPF and DKIM
DMARC is short for Domain-based Message Authentication, Reporting and Conformance (yes, it’s a huge mouthful).
It aims to combine the best of SPF and DKIM into one single protocol, and then adds extra functionality such as monitoring emails, quarantining them and rejecting messages.
Here’s how you can implement a DMARC policy for your website.
An added benefit to implementing these security features, is that email clients will have more trust in your domain.
Since you cut down on spammers and impersonators, email providers such as Gmail or Yahoo understand that messages coming out of your domain are the real deal, so there’s a smaller chance of sending them to the spam folder.
Needless to say, that’s a good added bonus, regardless of what you’re using your domain for!
Phone caller ID spoofing
This spoofing method will disguise your phone number behind a fake one. The person who receives the call will believe that someone else is calling them. Fortunately, there are a few apps you can use to find out phone spoofers, one of which is included below.
This technique is widely available today and very much legal. In the USA alone there are dozens of companies that offer caller ID spoofing services. It is only a crime if the spoofer uses it to defraud victims.
Why it’s dangerous
This type of spoofing is particularly dangerous when used against banks and other such institutions that can’t recognize a user by his voice.
A scammer that knows your date of birth, social security number and address can spoof your number, contact your bank, pass the quick security questions, and impersonate you. At this point, he can modify your credentials and even directly access your account.
In another case, the scammer might pretend to be customer support from a certain company, such as Microsoft, and try to extract money from the victim.
One of the more famous uses of this method is “swatting”. Basically, the scammer spoofs a phone number and then calls a SWAT team to raid the target’s house. As incredible as it may seem, this has happened often enough there are online compilations of this phenomenon.
How they do it
Not only is this spoofing method widely available, it is also easy to do. Spoofcard for instance uses a simple app for Android or iOS where all you have to do is provide the phone number you’re calling from, the phone number you wish to call, and what number you want the receiver to see. That’s it.
And there are countless more companies such as spoof card that offer these kinds of services.
How to protect yourself from caller ID spoofing
Unfortunately, there aren’t many technical measures you can employ to prevent this type of spoofing, so you will mostly have to rely on your wits to dodge spam callers.
The first step in protecting yourself against this type of threat is to know that it’s possible. Be suspicious of any call you may receive that has strange requests that seem out of the ordinary for that company.
Other than that, here are a few more basic tips and tricks you should follow:
1. Google the phone number, and see if it’s associated with previous scams.
It won’t always turn up relevant data, but it’s a good starting point that is easy to execute.
2. Hang up and call the number yourself
The person who spoofs the phone number doesn’t actually own it, he merely uses it as a cover. If you call up the number, you will be put through to the real owner, not the spoofer.
3. Use Trapcall in case of repeated calls
Trapcall is a paid service that works to reveal the true identity of a caller, blacklist users and even record calls. While not foolproof, it can be a valid starting point for any person spammed by fake callers.
4. Notify the police
If the caller keeps harassing you, even when you block his number, then you should consider filing a police complaint. With their help, your telephone provider should be able to provide you with the real phone number and identity of a caller. After this, you can take appropriate measures against the caller.
This is a more technical version spoofing, one that seeks to impersonate your device, rather than your personal credentials. It is an important component in many types of cyber attacks.
Gaining access to a computer network
IP spoofing is often used against computer networks, where accounts aren’t the primary login method.
For example, you have several work computers that all log onto the same server. The server knows these computers, and has their IPs included in a database of allowed devices. So the server gives access to the computer simply because it knows its IP, without requiring extra login steps such as account and password.
By spoofing an IP, an attacker disguises himself as a known computer, and can then access the network without providing login information.
Increasing the potency of DDoS attacks
DDoS attackers might also employ this method to increase the potency of their denial-of-service. It takes more resources for a device to process information coming from multiple IP compared to a single one. So mass spoofing IP addresses increases the payload processing for the victim.
Blind IP and session hijacking attacks
This spoofing method is called “blind” because the spoofer only knows what information he is sending to the target, but he doesn’t know what information the target sends back.
Just as with phone spoofing and email spoofing, the attacker uses the spoofed IP as a mask, he doesn’t own it. So any information that’s sent from the target goes to the original and legitimate IP, not the spoofer.
Because of this, the attacker doesn’t actually know what’s included in the data packets the target sends out.
However, like in a game of Battleships, a malicious hacker can guess what sort of information the target wants, and then send him that exact data packet.
During a man-in-the-middle attack, the malicious hacker places himself in between two devices that communicate with each other.
The prototypical example of this is interception of data sent between a smartphone and an open Wi-Fi router. In this case, the attacker effectively listens in on what data is sent between the two devices. In the worst cases, he can even take outright control of the target’s smartphone.
The attacker does this by spoofing the smartphone’s IP, and then directly communicating with the Wi-Fi router.
How to protect yourself from IP spoofing
Protecting yourself from IP spoofing is a difficult feat to accomplish, since the malicious hacker takes advantage of IT infrastructure weaknesses that you simply do not have control over.
Still, here are a few things you do control, and a few more good security practices you can follow:
1. On your Wi-Fi router, apply ingress and egress filtering
Ingress filtering is a defensive technique that ensures data packets actually come from the original source and aren’t spoofed.
Egress filtering on the other hand makes verifies that data packets leaving your device are authorized to do so. It can look at a number of things, such as destination, communication protocol and so on.
Here’s a quick guide on how to apply ingress and egress filtering on TP-LINK. Other wireless network providers should provide a similar solution.
2. Encrypt your Wi-Fi network
Aka, use a password to prevent anyone from spoofing your IP and hijacking your data.
Also, be sure to change the default password of your router. Many of these are practically defaulted, so if a malicious hacker gets his hands on the default password list for these routers, he can then brute-force your wireless password.
A strong password should be at least 10 characters long, contain a special character (such as * or %), a number, and both an uppercase and lowercase letter.
3. Use a traffic filtering option
Modern traffic filtering solutions scan your incoming and outgoing traffic, looking for any suspicious signs, such as malware or data leaks. If it finds malicious communications that’s trying to leak confidential data leakage, it acts to stop it and block the data from reaching cybercriminal servers and other infrastructure.
Spoofing is one of the most frequent types of threat you’ll find on the Internet. Bad guys are constantly coming up with new technical ways to spoof an IP or email, and also create highly believable scams and tricks to make you part with your money or personal data.
If you’ve ever witnessed or suffered such a spoofing attack, let us know in the comments and we might include it in our article!