And how to avoid becoming a victim of an attack
Do you remember the fairy tale about the wolf and the seven little goats?One day the wolf overheard Mama goat singing. And when she was gone, he sang in her voice. The kids believed, opened the door, and the wolf ran into the hut and ate them all. Security experts will say that the wolf made a successful spoofing attack on the baby goats.
I'll tell you in simple terms what spoofing is and what it can be like.
What is spoofing?
The English word spoofing translates as "spoofing". In the context of network security, this is the name of any attack when an attacker somehow disguises himself or his actions as something that the user trusts — like that wolf pretending to be the mother of goats. As a result, they manage to steal data, infiltrate the system, steal money, or otherwise harm others.Such attacks are made on both people and equipment. A person can be convinced by social engineering that their boss is calling them, and then they will be asked to transfer money. Due to vulnerabilities in communication protocols, the computer will assume that it is communicating with an official server and transmit the data to the fraudster's device.
How spoofing works
A key element of the scheme is something that the target of the attack trusts. Let's imagine that all clients of the" Big Bank " receive invoices for payment from the address [email protected]. Scammers conclude that people are used to invoices that come from this address. They create a similar address, for example [email protected], and a fake invoice is sent to customers from it for payment. According to statistics, two-thirds of all spoofing attacks occur via email.Scammers don't always need to fake something. Sometimes it's enough to be in the right place at the right time. Imagine that once upon a time the Big Bank application was programmed so that it expects data from a server with the IP address 11.22.33.44. Once the Big Bank moves to another data center, programmers add the address of the new server to the application code, but forget to delete the old one.
Attackers notice that no one else uses the old IP address. They buy it back and host their own server there, which starts pretending to be the bank's server. Clients apps trust it, it's written in the code. So hackers can intercept data and charge money from accounts.
Of course, protection in the banking sector is much more complex than I described, and it is not so easy to steal clients money. But sometimes it still happens. For example, in 2017, hackers managed to simultaneously attack the systems of 36 Brazilian banks in a similar way.
How does spoofing differ from phishing?
These two phenomena are related, but they differ in the goals and methods of attacks.Phishing is a type of Internet fraud, when an attacker tries to deceive access to important information. Various tools are used for this, including spoofing.
A phishing scam can use spoofing to direct the victim to a fake bank website, where they will be prompted to enter their username and password. But it can also call the victim and use social engineering to persuade them to provide data. For the most common phishing attacks, a simple guide and a few simple programs are enough.
The spoofer, in turn, doesn't always want to steal data. Sometimes it is enough for them that during a spoofing attack, normal operation is disrupted: the site breaks down, the server freezes, or a segment of the Internet network stops working.
In addition, spoofing requires a hacker to have more in-depth knowledge of computer science, programming, and security. It is almost impossible to make a spoofing attack using a tutorial from the Internet: you have to adapt the strategy to each goal or use rare complex programs.
Types of spoofing
First, I'll tell you about popular spoofing attacks, and then - how to protect yourself from them.Email spoofing, spoofing of an email address. There are two types of this attack. The first one is simple and does not require any technical training. Scammers simply create addresses that are similar to those that a person trusts — for example, the addresses of banks or government organizations. And they send a "favorable offer" or, conversely, threats and demands to pay for compromising information.
The second type of attack is more difficult. Email transmission protocols were invented in the 80s of the last century. At that time, they still didn't think about cryptography and hackers, so emails were transmitted between servers in unencrypted form, and anyone could intercept and read them if they wanted.
Soon, more reliable protocols were created. But it turned out that due to a flaw in the protocol, hackers can optionally deceive the sender and recipient's server. Let's say a hacker sends an email from the address [email protected], and the recipient sees the address in the "Sender" field [email protected].
I had to come up with new protocols to protect mail servers from spoofing. Major services, such as gmail.com or mail.ru, now don't cheat.
However, if someone sets up a personal server, they may unknowingly not activate the security protocols. I once bought a domain for experimentation malakhov.pw, I started the mail server on it, did not configure it, and just started the address [email protected].
Soon I received a letter from my own address. In the email, the attacker said that he hacked my server and saw that I was watching all sorts of obscene adult videos. For silence, he demanded $ 1,450 in cryptocurrency.
Of course, the hacker didn't have any compromising information, he was just able to send an email on behalf of my server because of the vulnerability. But if I used this address for work correspondence, a hacker could write to my boss on my behalf and somehow compromise me.
Spoofing the caller's phone number and sms spoofing. When you receive a call on your mobile phone, the operator passes the device the Caller ID - the phone number from which the call was received. The problem is that the operator does not take this identifier from its database, but requests it from the caller, who can slip any number due to vulnerabilities in the protocol.
This is used by fraudulent IP telephony services. They allow their subscribers to specify any arbitrary Caller ID and even change it after each call. Thanks to this, fraudsters can call you, for example, from the official number of your bank or from the number of a loved one. Like, a loved one had an accident, we picked up his smartphone and decided to call you. Transfer the money immediately, otherwise there will be problems with the law.
Scammers also fake text messages in a similar way. For example, they may send a message on behalf of the bank: "They are trying to steal money from your card, please call 8 999 123-45-67 urgently." Of course, the number will not belong to the bank, but to intruders who will play a show with a "secure account".
Fortunately, at some point, operators realized that the existing mobile communication algorithm was vulnerable and something had to be done about it. Since December 2022, Russia has a single platform for verifying phone calls "Antifraud". The system was launched by a division of Roskomnadzor and should unite all telecom operators.
Here is an approximate diagram of how the system works. The MTS operator sees that its subscriber is being called by someone from a number that belongs to Tele-2. MTS sends a request to Tele-2 via Antifraud: "Tell me, is it true that your subscriber is calling our subscriber's number right now?" If the request is confirmed there, MTS skips the call and subscribers communicate as usual. If there is no information about a call from the Tele-2 number in the Antifraud database, it means that someone changed the number. MTS blocks the call and sends a warning to its subscriber.
At the beginning of 2024, not all regional operators were connected to the system, so fraudsters still fake calls from their numbers. According to the idea of the regulator, when the" Anti-fraud " is fully operational, no one will fake calls from Russian numbers. But the problem remains: scammers will still be able to register numbers from other countries in Caller ID or make calls via instant messengers.
Face or voice substitution. Criminals can create an audio recording with the desired text using voice cloning technology. You don't need to know much about AI or programming to do this: dozens of speech synthesis services and bots are officially available in Russia. These are ready-made language models that have already taught you how to correctly intone, incline numbers, place accents in words, make pauses and accents in sentences.
In order for the neural network to create a convincing fake, just write the text and upload a sample of the voice. Enough recording for 10-15 seconds. The voice acting is realistic and lively.
In the near future, it is worth waiting for the appearance of technologies with more fine-tuning. For example, voice conversion shows good results — this is when algorithms turn one voice into another, while preserving intonation, emotions,and other speech features of the source. The technology is used in the production of video games and the film industry to translate the characters ' speech into other languages and not involve dubbing actors.
So far, voice conversion requires large investments and serious development. But it is possible that in the future the technology can be used for real-time deception. For example, when a criminal calls a person and speaks in the voice of their loved one.
IP spoofing, spoofing of an IP address. When you want to watch a video with a cat, the server divides the video into thousands of small fragments — packets. Almost all data on the Internet is transmitted via packet exchange: from weather forecasts to online games. In addition to useful data, each packet contains service information, such as the IP address of the sender and recipient.
Hackers can generate a packet so that the "Sender" field contains not their IP address, but the address of the device that the attacked server trusts. If the server is configured incorrectly, it may believe such a packet and execute the command that the attackers need. For example, turn off or delete important data.
DDoS. One of the most common implementations of IP spoofing is the Distributed Denial of Service (DDoS) attack, which translates as "distributed denial of service attack". Attackers generate hundreds of thousands of packets, sign them with different IP addresses, and send them en masse to the attacked server.
The server reads the addresses and thinks that it needs to respond to all new clients at once. But it requires a lot of computing power. As a result, real clients who try to get to the server cannot do so: they will not receive a response while requests from hackers are processed.
DNS spoofing, site spoofing. Every server on the Internet has an IP address. For example, if you enter 142.250.72.196 in the address bar, you will see the Google search bar. At the dawn of the Internet, devices communicated with each other only using such addresses, but soon people realized that remembering numbers is not very convenient. This is how the DNS protocol — the domain name system-was created.
Now instead of 142.25.0.72.196 you can type google.com — and the browser will send a request to the DNS server specified in your network settings. The DNS server will give the browser the correct IP address, and your device will communicate with the server as usual.
Of course, DNS servers need to check their "address book": suddenly a new site has appeared or the old one has changed its address. This book is called a "DNS cache". To update the cache, the DNS server syncs every few hours with one of the root servers, which knows everything about everyone. There are only 13 such servers in the world.
Attackers can "poison" the DNS server cache if they gain access to it. For example, they will say that you actually have google.com now the address is not 142.250.72.196, but another one that belongs to hackers. As a result, all devices that will contact the infected DNS server for the address for google.com, will end up on the site of scammers. If a user enters any data on such a site, it will immediately fall into the hands of hackers.
In 2018, hackers managed to attack the site MyEtherWallet, through which users managed their cryptocurrency wallets. For several hours, Amazon's DNS server sent users to the fake site. As a result, the attackers stole $ 137 thousand worth of cryptocurrency.
ARP spoofing. This is almost the same as DNS spoofing, only not at the level of sites on the Internet, but at the level of devices on the local network: in the office, in the factory, in the data center.
Each device that can access the Internet has a unique MAC address, which is assigned directly to the factory where it was made. MAC addresses are available not only for computers and smartphones, but also for printers, video cameras, and even smart light bulbs.
When such a device goes online, it is most often assigned a temporary IP address. Or, as experts say, "rent out". Since IP addresses are constantly changing, it can be difficult to track devices using them. But the MAC does not change — in some communication protocols, devices access each other using it. But sometimes you need to know both the device's IP address and MAC address. For this purpose, ARP tables were invented.
Imagine that the MAC is your jacket that you checked in to the wardrobe, and the IP address is the number that you were given. The numbers may be different, but the cloakroom attendant will always give out your jacket, because she knows where it is hanging. In other words, the cloakroom attendant is an ARP table of matching MAC jackets and IP numbers.
A hacker can "poison" the ARP table: hang someone else's clothes on your hook or slip a fake number to the cloakroom attendant so that she gives your jacket to the attacker. He doesn't have to steal it: he can go through his pockets and hand it back.
Hackers steal data from devices on the local network in a similar way: by replacing phone numbers and responding to ARP requests instead of the original devices, they can pass all traffic through themselves. Or they can send out incorrect responses to requests, paralyzing the network.
GPS spoofing. There are satellites of navigation systems in Earth orbit: GPS, GLONASS, Galileo, and so on. All of them work on similar principles: at a certain frequency, the satellite transmits a radio signal that contains the satellite code and the exact time. Your smartphone receives these signals, and then uses certain algorithms to calculate its position relative to the satellites.
The radio signal that travels thousands of kilometers from orbit is quite weak. If you put a transmitter next to your smartphone that broadcasts fake navigation signals on the same frequencies, the smartphone will be guided by them.
Jammers installed, for example, near government and military installations work on this principle. They distort the satellite signal or drown it out — as a result, the device believes that it is in a different place. In other words, GPS spoofing is used against devices.
Another hypothetical scenario for using GPS spoofing so far is to intercept control over unmanned vehicles. Using a fake radio signal, you can make the robotaxi think that it is located in another place, and change the route to the desired one for intruders.
However, self-driving cars are guided not only by satellite signals, but also by data from cameras and lidars. But simpler devices, such as drones, can easily be deceived by such a spoofing attack.
Intermediary attack. Security experts call this scheme MitM, man-in-the-middle. This is a class of attacks in which an attacker is secretly embedded in the information exchange process. In this way, it can read and replace data without the server and client noticing it. MitM attacks can be used in any type of spoofing where there is a communication channel: GPS, DNS, IP, ARC, and so on.
Such attacks have been known since ancient times. For example, scouts could intercept the messenger of an enemy army and decipher the order to move the troops. And then they sent their messenger with a new order: send the army to another place where it was waiting for an ambush.
During World War II, the English mathematician Alan Turing deciphered the Enigma algorithm, which the Germans considered unbreakable. The Allies intercepted radio messages, decoded them, and understood how and where the enemy planned to attack.
Modern hackers also intercept radio signals, but this time from public Wi-Fi outlets: in hotels, restaurants, and hotels. Hackers "integrate" into the radio exchange and gain access to the traffic. If the subscriber sends an unencrypted message, the hacker will see it on their device.
How to protect yourself from spoofing
Most spoofing attacks are aimed at telecom operators, data centers, and servers. The average user can't do anything about them. This is the task of system administrators and information security specialists — they will find tips in specialized publications.Here are some simple tips that anyone can use to protect themselves and their loved ones from phishing spoofing attacks.
Call me back yourself. Always. Spoofing attacks are not just about Internet hacking. You can fake the voice or face of your boss, friend, or loved one — this is not so difficult with modern neural networks.
If you receive a message from the bank that your money is in danger — call the bank back at the number from the official website or from your bank card. A voice message arrives in the messenger asking your boss to do something unusual — Go to their office and ask them again.
In a social network, a loved one sent a video asking you to transfer money to a bank card — Please call back and see for yourself. Especially if the interlocutor strictly forbids you to call: this scammer does not want you to reveal his deception.
Don't use public wifi. Hackers can easily intercept traffic and perform a MitM attack. It is better to distribute the Internet from your mobile phone. And if this option is not available, for example, in roaming, use programs that additionally encrypt traffic.
Check the address bar. Scammers like to register sites with names that look like the real thing. Let's say hackers hacked your friend and sent a link on his behalf to tlnkoff.ru instead of tinkoff.ru. Or you are asked to pay for delivery on the site avito-oplata.com.
Links are often disguised as service names: avito.mega-dostavka.ru. But the essence will not change: it will still be a different site, not avito.ru, so it is dangerous to enter it.
Use a password manager. The main benefit of these programs is that they check the site address for you. If you saved the password for yandex.ru, then the manager will not offer to insert it on the site yandex.com or yanbex.ru. If you don't see any suggestions from the manager, the site is probably fake. Here, for example, are nine free verified managers.
An easier option is to use the password Manager built into your browser: "Safari", "Yandex browser" or "Google-chrome". If you have the same account on all devices, browsers sync passwords. If you have already accessed the site from your computer, a password hint will also appear on your smartphone.
Use two-factor authentication. This is an additional layer of protection for your account. The second factor may be, for example, a text message code or a one-time password that is requested in addition to the usual one. Even if a fraudster steals the password, they won't be able to find the code.
All popular services support two-factor authentication. Be sure to enable it in your email service, instant messengers, banking apps, and social networks.
(c) Alexey Malakhov
