What is spoofing?
"I am serious. And don't call me Shirley."
Yes, it's the famous line from the endlessly quotable 1980 film, Airplane. Films like Airplane, Spaceballs, and The Naked Gun, and songs from "Weird Al" Yankovic, and Flight of the Conchords are all spoofs. Spoofs imitate other movies, artists, and genres for comedic effect, and we love them for it. But there's another kind of spoof, and it's designed to hurt us, rather than entertain us.
Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware. Spoofing attacks come in many forms, primarily:
- Email spoofing
- Website and/or URL spoofing
- Caller ID spoofing
- Text message spoofing
- GPS spoofing
- Man-in-the-middle attacks
- Extension spoofing
- IP spoofing
- Facial spoofing
So how do the cybercriminals fool us? Often times, merely invoking the name of a big, trusted organization is enough to get us to give up information or take some kind of action. For example, a spoofed email from PayPal or Amazon might inquire about purchases you never made. Concerned about your account, you might be motivated to click the included link.
There are many more ways a spoofing attack can play out. In all of them, fraudsters rely on the naiveté of their victims. If you never doubt the legitimacy of a website and never suspect an email of being faked, then you're likely to become a victim of a spoofing attack at some point.
To that end, this article is all about spoofing. We'll educate you on the types of spoofs, how spoofing works, how to discern legitimate emails and websites from fake ones, and how to avoid becoming a target for fraudsters.
Now, let's get serious about spoofing.
“Spoofing, as it pertains to cybersecurity, is when someone or something pretends to be something else in an attempt to gain our confidence, get access to our systems, steal data, steal money, or spread malware.”
Types of spoofing
Email spoofing. Strictly speaking, email spoofing is the act of sending emails with false sender addresses, usually as part of a phishing attack designed to steal your information, infect your computer with malware or just ask for money. Typical payloads for malicious emails include ransomware, adware, cryptojackers, Trojans (like Emotet), or malware that enslaves your computer in a botnet (see DDoS).
But a spoofed email address isn't always enough to fool the average person. Imagine getting a phishing email with what looks like a Facebook address in the sender field, but the body of the email is written in basic text, no design or HTML to speak of—not even a logo. That's not something we're accustomed to receiving from Facebook, and it should raise some red flags. Accordingly, phishing emails will typically include a combination of deceptive features:
- False sender address designed to look like it's from someone you know and trust—possibly a friend, coworker, family member, or company you do business with. In a recent twist, a bug in Gmail allows scammers to send emails with no sender address—at least not one your average user can see. It takes some technical know-how to see the malicious string of code used to make the "From" field appear blank.
- In the case of a company or organization, the email may include familiar branding; e.g. logo, colors, font, call to action button, etc.
- Spear phishing attacks target an individual or small group within a company and will include personalized language and address the recipient by name.
- Typos—lots of them. Try as they might to fool us, email scammers don't spend much time proofreading their own work. Email spoofs often have typos—or worse. If the email looks like someone translated the text through Google Translate, chances are it was. Be wary of unusual sentence constructions. Here's an example: "Greetings sir. If you please, make certain this data is well and good." Bizarre sentences like that should give you a reason to be suspicious unless big tech companies are hiring time travelling writers from the Victorian era.
Email spoofing plays a critical role in sextortion scams. These scams trick us into thinking our webcams (which have been around for 25 years, can you believe it?) have been hijacked with spyware and used to record us watching porn. These spoofed emails will say something like "I've been watching you watch porn," which is an incredibly weird thing to say. Who's the real creep in this scenario? The scammers then demand some amount of Bitcoin or else they will send the video to all your contacts. To create the impression of legitimacy the emails will also include an outdated password from some previous data breach. The spoof comes into play when the scammers disguise the email sender field to look as if it's being sent from your supposedly breached email account. Rest assured, chances are no one is actually watching you.
Website spoofing is all about making a malicious website look like a legitimate one. The spoofed site will look like the login page for a website you frequent—down to the branding, user interface, and even a spoofed domain name that looks the same at first glance. Cybercriminals use spoofed websites to capture your username and password (aka login spoofing) or drop malware onto your computer (a drive-by download). A spoofed website will generally be used in conjunction with an email spoof, in which the email will link to the website.
It's also worth noting that a spoofed website isn't the same as a hacked website. In the case of a website hacking, the real website has been compromised and taken over by cybercriminals—no spoofing or faking involved. Likewise, malvertising is its own brand of malware. In this case, cybercriminals have taken advantage of legitimate advertising channels to display malicious ads on trusted websites. These ads secretly load malware onto the victim's computer.
Caller ID spoofing
Caller ID spoofing happens when scammers fool your caller ID by making the call appear to be coming from somewhere it isn't. Scammers have learned that you're more likely to answer the phone if the caller ID shows an area code the same or near your own. In some cases, scammers will even spoof the first few digits of your phone number in addition to the area code to create the impression that the call is originating from your neighborhood (aka neighbor spoofing). As it happens, Malwarebytes for Android and Malwarebytes for iOS block incoming scam calls, making caller ID spoofing a thing of the past.
Text message spoofing
Text message spoofing or SMS spoofing is sending a text message with someone else's phone number or sender ID. If you've ever sent a text message from your laptop, you've spoofed your own phone number in order to send the text, because the text did not actually originate from your phone. Companies frequently spoof their own numbers, for the purposes of marketing and convenience to the consumer, by replacing the long number with a short and easy to remember alphanumeric sender ID. Scammers do the same thing—hide their true identity behind an alphanumeric sender ID, often posing as a legitimate company or organization. The spoofed texts will often include links to SMS phishing sites (smishing) or malware downloads.
Text message scammers are now taking advantage of the healthy job market by posing as staffing agencies, sending victims to-good-to-be-true job offers. In one example, a work from home position at Amazon included a "Brand new Toyota Corrola." First of all, why does one need a company car if they're working from home? Second, is a Toyota "Corrola" a generic version of the Toyota Corolla? Nice try, scammers.
GPS spoofing occurs when you trick your device's GPS into thinking you're in one location, when you're actually in another location. Why on Earth would anyone want to GPS spoof? Two words: Pokémon GO. Using GPS spoofing, Pokémon GO cheaters are able to make the popular mobile game think they're in proximity to an in-game gym and take over that gym (winning in-game currency). In fact, the cheaters are actually in a completely different location—or country. Similarly, videos can be found on YouTube showing Pokémon GO players catching various Pokémon without ever leaving their house. While GPS spoofing may seem like child's play, there are other more nefarious implications to consider. By some accounts, Russia is already using GPS spoofing to misdirect naval vessels as a trial run for future cyberwarfare attacks on United States aerial drones. Hitting closer to home, hackers could even spoof the GPS in your car and send you to the wrong destination, or worse, send you into oncoming traffic.
Man-in-the-middle (MitM) attack
Man-in-the-middle (MitM) attack. You like that free Wi-Fi at your local coffee shop? Have you considered what would happen if a cybercriminal hacked the Wi-Fi or created another fraudulent Wi-Fi network in the same location? In either case, you have a perfect setup for a man-in-the-middle attack, so named because cybercriminals are able to intercept web traffic between two parties. The spoof comes into play when the criminals alter the communication between the parties to reroute funds or solicit sensitive personal information like credit card numbers or logins.
Side note: While MitM attacks usually intercept data in the Wi-Fi network, another form of MitM attack intercepts the data in the browser. This is called a man in the browser (MitB) attack.
Extension spoofing occurs when cybercriminals need to disguise executable malware files. One common extension spoofing trick criminals like to use is to name the file something along the lines of "filename.txt.exe". The criminals know file extensions are hidden by default in Windows so to the average Windows user this executable file will appear as "filename.txt".
IP spoofing is used when someone wants to hide or disguise the location from which they're sending or requesting data online. As it applies to cyberthreats, IP address spoofing is used in distributed denial of service attacks (DDoS) to prevent malicious traffic from being filtered out and to hide the attacker's location.
Facial spoofing. The latest form of spoof might be the most personal, because of the implications it carries for the future of technology and our personal lives. As it stands, facial ID technology is fairly limited. We use our faces to unlock our mobile devices and laptops, and not much else. Soon enough though, we might find ourselves making payments and signing documents with our faces. Imagine the ramifications when you can open up a line of credit with your face. Scary stuff. Researchers have demonstrated how 3D facial models built from your pictures on social media can already be used to hack into a device locked via facial ID. Taking things a step further, the Malwarebytes Labs blog reported on deepfake technology being used to create fake news videos and fake sex tapes, featuring the voices and likenesses of politicians and celebrities, respectively.
News on spoofing
- Scammers are spoofing bank phone numbers to rob victims
- Phishers spoof reliable cybersecurity training company to garner clicks
- Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings
- When three isn't a crowd: Man-in-the-Middle (MitM) attacks explained
- Lesser known tricks of spoofing extensions
How does spoofing work?
Okay, so we've explored the various forms of spoofing and glossed over the mechanics of each. In the case of email spoofing, however, there's a bit more worth going over. There are a few ways cybercriminals are able to hide their true identity in an email spoof. The most foolproof option is to hack an unsecure mail server. In this case the email is, from a technical standpoint, coming from the purported sender.
The low-tech option is to simply put whatever address in the "From" field. The only problem is if the victim replies or the email cannot be sent for some reason, the response will go to whoever is listed in the "From" field—not the attacker. This technique is commonly used by spammers to use legitimate emails to get past spam filters. If you've ever received responses to emails you've never sent this is one possible reason why, other than your email account being hacked. This is called backscatter or collateral spam.
Another common way attackers spoof emails is by registering a domain name similar to the one they're trying to spoof in what's called a homograph attack or visual spoofing. For example, "rna1warebytes.com". Note the use of the number "1" instead of the letter "l". Also note the use of the letters "r" and "n" used to fake the letter "m". This has the added benefit of giving the attacker a domain they can use for a creating a spoofed website.
Whatever the spoof may be, it's not always enough to just throw a fake website or email out into the world and hope for the best. Successful spoofing requires a combination of the spoof itself and social engineering. Social engineering refers to the methods cybercriminals use to trick us into giving up personal information, clicking a malicious link, or opening a malware-laden attachment. There are many plays in the social engineering playbook. Cybercriminals are counting on the vulnerabilities we all carry as human beings, such as fear, naiveté, greed, and vanity, to convince us to do something we really shouldn't be doing. In the case of a sextortion scam, for instance, you might send the scammer Bitcoin because you fear your proverbial dirty laundry being aired out for everyone to see.
Human vulnerabilities aren't always bad either. Curiosity and empathy are generally good qualities to have, but criminals love to target people who exhibit them. Case in point, the stranded grandchildren scam, in which a loved one is allegedly in jail or in the hospital in a foreign country and needs money fast. An email or text might read, "Grandpa Joe, I've been arrested for smuggling drugs in [insert name of country]. Please send funds, oh and btw, don't tell mom and dad. You're the best [three happy face winking emojis]!" Here the scammers are counting on the grandparent's general lack of knowledge about where his grandson is at any given time.
“Successful spoofing requires a combination of the spoof itself and social engineering. Social engineering refers to the methods cybercriminals use to trick us into giving up personal information, clicking a malicious link, or opening a malware-laden attachment.”
History of spoofing
There's nothing new about spoofing. In fact, the word "spoof" as a form of trickery goes back over a century. According to the Merriam-Webster online dictionary, the word "spoof" is attributed to 19th century English comedian Arthur Roberts in reference to a game of trickery and deception of Robert's creation. The rules of the game have been lost to time. We can only guess the game wasn't very fun or the Brits of the time didn't like being goofed on. Whatever the case may be, the name stuck though the game didn't.
It wasn't until the early 20th century, spoof became synonymous with parody. For several decades whenever someone mentioned "spoof" or "spoofing" it was in reference to something funny and positive—like the latest film spoof from Mel Brooks or comedy album from "Weird Al" Yankovic.
Today, spoofing is most often used when talking about cybercrime. Whenever a scammer or cyberthreat pretends to be someone or something they're not, it's spoofing.
How do I detect spoofing?
Here are the signs you're being spoofed. If you see these indicators, hit delete, click the back button, close out your browser, do not pass go.
- No lock symbol or green bar. All secure, reputable websites need to have an SSL certificate, which means a third-party certification authority has verified that the web address actually belongs to the organization being verified. One thing to keep in mind, SSL certificates are now free and easy to obtain. While a site may have a padlock, that doesn't mean it's the real deal. Just remember, nothing is 100 percent safe on the Internet.
- The website is not using file encryption. HTTP, or Hypertext Transfer Protocol, is as old as the Internet and it refers to the rules used when sharing files across the web. Legitimate websites will almost always use HTTPS, the encrypted version of HTTP, when transferring data back and forth. If you're on a login page and you see "http" as opposed to "https" in your browser's address bar, you should be suspicious.
- Use a password manager. A password manager like 1Password will autofill your login credentials for any legitimate website you save in your password vault. However, if you navigate to a spoofed website your password manager will not recognize the site and not fill in the username and password fields for you—a good sign you're being spoofed.
- Doublecheck the sender's address. As mentioned, scammers will register fake domains that look very similar to legitimate ones.
- Google the contents of the email. A quick search might be able to show you if a known phishing email is making its way around the web.
- Embedded links have unusual URLs. You can check URLs before clicking by hovering over them with your cursor.
- Typos, bad grammar, and unusual syntax. Scammers don't proofread their work.
- The contents of the email are too good to be true.
- There are attachments. Be wary of attachments—particularly when coming from an unknown sender.
Caller ID spoofing
- Caller ID is easily spoofed. It's a sad state of affairs when our landlines have become a hotbed of scam calls. It's especially troubling when you consider that the majority of people who still have landlines are the elderly—the group most susceptible to scam calls. Let calls to the landline from unknown callers go to voicemail or the answering machine.
How can I protect against spoofing?
First and foremost, you should learn how to spot a spoofing attack. In case you skipped over the "How do I detect spoofing?" section you should go back and read it now.
Turn on your spam filter. This will stop the majority of spoofed emails from ever making it to your inbox.
Don't click on links or open attachments in emails if the email is coming from an unknown sender. If there's a chance the email is legitimate, contact the sender through some other channel and confirm the contents of the email.
Log in through a separate tab or window. If you get a suspicious email or text message, requesting that you log in to your account and take some kind of action, e.g., verify your information, don't click the provided link. Instead, open another tab or window and navigate to the site directly. Alternatively, log in through the dedicated app on your phone or tablet.
Pick up the phone. If you've received a suspicious email, supposedly from someone you know, don't be afraid to call or text the sender and confirm that they, indeed, sent the email. This advice is especially true if the sender makes an out-of-character request like, "Hey, will you please buy 100 iTunes gift cards and email me the card numbers? Thanks, Your Boss."
Show file extensions in Windows. Windows does not show file extensions by default, but you can change that setting by clicking the "View" tab in File Explorer, then checking the box to show file extensions. While this won't stop cybercriminals from spoofing file extensions, at least you'll be able to see the spoofed extensions and avoid opening those malicious files.
Invest in a good cybersecurity program. In the event that you click on a bad link or attachment, don't worry, a good cybersecurity program will be able to alert you to the threat, stop the download and prevent malware from getting a foothold on your system or network. Malwarebytes, for example, has cybersecurity products for Windows, Mac, and Chromebook. Business users, we've got you covered too.
Malwarebytes for iOS and Malwarebytes for Android will block calls and text messages from known scam numbers. This is a great fix for parents and grandparents still relying on an old landline. Cut the cord and set them up with a basic smartphone with Malwarebytes already installed.
For more reading about spoofing and all the latest news on cyberthreats, visit the Malwarebytes Labs blog.