Spoofing


Spoofing is the pretense of an identity in digital communication and the Internet. The spoofer manipulates communication in such a way that an incorrect sender address is displayed to the recipient of a message or data packet. Spoofing is used in a variety of areas, such as sending spam, infiltrating computers and entire networks, or theft of personal user data via bogus resources (phishing). Generally, data is sent as part of spoofing from an unknown source, which seems trustworthy to the recipient. By changing the data, the spoofer can obfuscate their real identity and lead the recipient into believing that the sender’s address is known to him. Countermeasures are summarized under the term anti-spoofing.

General information

Spoofing leverages various mechanisms in digital communication. The manipulation techniques have their origin in IP spoofing. By manipulating the header data, a data packet sent to an IP address, is given a trustworthy sender address from a host or a domain. The recipient of the data packet believes to know the sender or his address, accepts the data packet, and opens it. The same is true for email spoofing, which is the most common method in addition to IP spoofing.

Types of spoofing

Since the digital communication between the sender and the receiver always takes place according to certain protocols, authentication and verification methods can be partly cancelled in the network communication. Depending on the network protocol, different types of spoofing are distinguished. In the end, data, messages, and emails are manipulated in such a way that they will be successful for the attacker within a specific infrastructure. However, the recipients can protect themselves against such attacks with certain measures.

IP spoofing

IP spoofing is one of the classic man-in-the-middle attacks, which intervenes between sender and receiver. In network communication with TCP / IP, weaknesses in the architecture are exploited to avoid authentication. Since the authentication takes place only during the first connection between sender and receiver, data can be changed, which is later sent via the same connection. The receiver trusts the transmitter based on the first authentication and receives the data. The attacker, however, changes the source address and deceives the receiver that the data originates from a trustworthy source. Each data packet sent to an IP address via TCP is provided with a sequence number. The attacker manipulates the sequence number and hacks into the communication channel, which is also called session hijacking. However, in most cases, this is only possible because of further security gaps since regular Internet connection cannot be established with IP spoofing. Accordingly, IP spoofing is often associated with other hacking techniques and attack patterns.

Email spoofing

Email spoofing makes use of vulnerabilities in email programs based on the SMTP protocol. SMTP does not use authentication in the standard version and is used most common email programs. A spoofer can manipulate the header of an email by exploiting the syntax of the protocol used, and making changes where the system saves information about the sender. This is the header data of an email, where the SMTP envelope is located with which the handshake between transmitter and receiver is carried out. Using some SMTP commands, the header data can be manipulated and an incorrect sender address is displayed to the recipient. Spoofers pursue different goals with this strategy:

  • Sending of spam emails
  • Collecting of personal data
  • As an entry gate for further network attacks

RFC 2554 is an extension for the SMTP protocol which generates a security layer with the mail server and thereby protecting against email spoofing. Brand spoofing is another form of email spoofing to look out for, since attackers use well-known brand names like PayPal or Amazon to conduct phishing or pharming.

Content and URL spoofing

With content spoofing, content is veiled in such a way that the user will believe that the content comes not from an external resource, but from a website that the user has contacted. But in fact, the source of the displayed content is somewhere else, because a spoofer has manipulated the parameters that direct to a website. In the case of dynamically generated websites, it is possible, in principle, to change the entire website or individual elements, since the location of certain content is indicated by attribute-value pairs in the respective URL. An attacker replaces these parts of the URL in order to direct to non-legitimate content that is displayed under the source URL.

The URL of a legitimate resource

http://sample/page?frame_src=http://sample/file.html

is changed, so that this resource gets a content element, which is, for example defined through

frame_src=http://angreifer.beispiel/spoofing.html 

.[1] The user sees the address of the original resource in the browser’s address bar, but the content that is displayed to him is from another source that the attacker determines. These attacks undermine the trust relationship between websites, online services, and users by exploiting HTTP communications for dynamic Web sites. URL spoofing works similarly, using URL rewriting in this context. However, modern browsers can block automatic forwarding. Special browser plugins can also protect against URL and content spoofing.

ARP spoofing

ARP Spoofing is a version of IP spoofing, which is based on the ARP (Address Resolution Protocol) protocol. The physical address of a network adapter is changed to redirect the data transfer or to change the data. In a network, an incorrect network address is deliberately distributed in order to interfere with the data transmission. ARP Spoofing exploits the fact that network cards have firmly assigned MAC addresses, which can be used to control individual hardware elements. The assignment of an IP address to a MAC address is manipulated and the attacker takes a man-in-the-middle position accordingly. Subsequently, it can change the data transmission. ARP attacks are only possible in local networks such as Ethernet or WLAN. The attacker must be in the network.

Relevance to programming

Spoofing can take place at different levels of digital communication and can be associated with other attacks. In principle, attackers can forge or simulate an address from which data is to be sent. Or they can pretend to be legitimate data files recipients and receive data that was not intended for them. This means that spoofing attacks can concern the client (browser), the server, the network or individual applications. In cross site scripting, for example, information is transferred to a trustworthy context from which an attack takes place.

As long as no authentication is carried out between sender and receiver and the transmitted data is not encrypted, spoofing is possible at various points of the digital communication. However, users and service providers (for example, ESP) have different protective measures, which are described as anti-spoofing. The following options are available:[2][3]

  • Firewalls that block incoming connections.
  • Filters and rules for routers and gateways that regulate data traffic.
  • Cooperation that characterize infrastructures and networks as trustworthy.
  • Encryption algorithms and methods that protect data traffic, for example, TLS, SSH, and HTTPS.
  • Plug-ins, add-ons, and applications designed for special threats.
  • Consistently maintaining the blacklists and whitelists of spam filters and antivirus applications.

References

  1. Content Spoofing searchsecurity.techtarget.com. Accessed on 08/19/2016
  2. Spoofing Attack: IP, DNS & ARP Veracode veracode.com. Accessed on 08/19/2016
  3. Email spoofing blog.malwarebytes.com. Accessed on 19/08/2016

Web Links