For the most part, the internet depends on trust. When you click on a link, you expect to go to where it says it will take you. When you enter your password, you expect to be let into a private, safe place. When you contact someone, you expect they are who they say they are. When you make a financial transaction, you expect the money you send will get to the destination you want. Most people question none of this. They take it all for granted. They are trusting. That’s very nice; however, there are those who use this trust, this complacency, to gain personal advantages for themselves. Many, if not most, hacking attacks are based on some sort of spoofing, using some sort of pretense to take advantage of someone’s explicit or implicit trust.
Let’s take a look at a few basic examples first. Let’s say that, for political or other reasons, I don’t like your business or organization. I would like to get some form of revenge against it but don’t really want to do anything considered too illegal, like stealing your money or information. I might just want to cause you problems. In this case, I might want to stop the operation of your website. Maybe you need your website for business purposes and bringing it down would actually cost you money and badly affect your reputation. This would satisfy my need for revenge. I could bring down your website by sending it ‘packets’. All packets sent from any IP address to another must receive some analysis by the receiving organization’s server, even if that response is to simply classify it as trash. If I can spoof a large number of IP addresses, I can force your server to work overtime, possibly to the point where it cannot handle the traffic and either responds to legitimate traffic so slowly that it is useless or actually gives up or crashes. Great. Then I have brought down your website with a denial of service (DNS) attack and have got my revenge. Of course, with the use of botnets, such attacks can be performed with more ease.
I could also spoof an IP address that’s on your company network so that I can get access to important information. Often, networks have a list of machines that ‘trust’ each other. They may not even require a trusted machine to use a password. Anything received from the IP address of a trusted machine will be considered as legitimate traffic. I could keep trying various IP addresses until I got the right one, or I can get legitimate addresses in other ways, like through spearphishing.
Referrer spoofing is a bit different. In this, the attacker needs to pretend to be another URL address, but the purpose is to get around some simple site protection. Often, sites will not let you go to one page without first going through another page. They may want you to see certain advertisements, for example, or they may want to protect some of their content with a login page. The site’s servers will block anyone who has not gone through the correct route. However, if an attacker can spoof the URL the server is looking for, they will be allowed into the site.
I’m pretty sure everyone knows about email address spoofing, but, since people continue to be fooled everyday, it might be worth mentioning anyway. In email spoofing, the address of the sender is forged to look legitimate. That is, the email may look like it comes from a bank, it has the bank name in the ‘From’ field, it has the bank logo and formatting, but, the actual address the email came from is not related to the bank at all. This address is not usually visible unless one takes the time to hold the cursor over the sender’s name. Attackers may even include a spoofed sender’s real address in the ‘From’ field. For example, the receiver may see ‘Bank of Gondwanaland <email@example.com>’ which they may assume authenticates this as a real email. Again, simply holding the cursor over such an address should resolve most problems. (I’ll go into more about email tricks in a future post.)
Man-in-the-Middle (MITM) attacks can also be considered a form of spoofing. In these attacks, someone is secretly ‘eavesdropping’ on the information transmission between two individuals/entities who believe they are speaking directly to each other, when, in fact, all data must go through the attacker to be transmitted. So, in a sense, the eavesdropper pretends to be each of the people in the ‘conversation’ and is, therefore, in complete control of it – able to add or delete any transmitted information that they want.
The simple example of a MITM attack using spoofing is when someone pretends to be a Wi-Fi hotspot. This is known as an ‘evil twin’ attack: the hotspot address looks legitimate but isn’t. In other words, a person caught in this attack is giving any information they send to the internet (email addresses, passwords, credit card information, social security or account numbers) to the man in the middle. VOIP phone calls are, more often than not, unencrypted and can be targeted by individuals, crime agencies, or governments through MITM attacks. To put it bluntly, anything you say can be heard by anyone who has an interest in you. Even encryption is not hacker proof. More sophisticated MITM spoofing attacks can be used to get around encryption when information is sent to the cloud.
GPS spoofing allows someone to hide where they are or when they were there. There are numerous apps that can do this. In another version of GPS spoofing, an attacker can create fake GPS signals that seem to be authentic and that follow a logical time/space sequence. In fact, the attacker is creating an alternative signal to lead the victim astray, for some, usually nefarious, purpose. They can slowly lead signal followers to an unexpected place. They could, for example, alter the course of a ship or a plane. This has already been done on a small scale. Students used a fake GPS signal to change the course of a yacht in the Mediterranean. They simply overpowered the satellite GPS with a signal of their own and tricked the yacht into ‘thinking’ that this was the one it should follow. The yacht ‘thought’ it was on course but was not. They could have caused it to crash if that had been their goal. In another incident, it is rumored that Iranians were able to take over a sophisticated drone with a GPS spoof. Ever since South Korea found that North Korea was disrupting GPS signals, governments have taken GPS spoofing very seriously and are preparing countermeasures against it. Although most experts downplay the ability of an attacker to take over a plane’s GPS, none will discount this possibility altogether.
Such suspicions arose in earnest upon the weird disappearance of flight MH370 over the Indian Ocean. Some have speculated that a form of ‘double spoofing’ could have been behind this. They speculate that attackers could create a false signal to make it appear that the plane was heading into the Indian Ocean while spoofing a false GPS signal that would lead the plane to another location. Of course, the main questions are: Who would do such a thing? Why would they do it? And, of course, where is the plane?
As dependence on the internet increases, so too will new forms of spoofing. Investigations are currently underway to determine whether the stock market is or can be spoofed by high frequency traders, leading to the conclusion by some that the stock market is rigged. If it isn’t, it probably soon will be. That’s just the nature of the game. The other factor increasing spoofing is the built-in anonymity of the web. There have always been con-men. It’s simply easier to be a con-man when you don’t actually have to face the people you are conning and see the personal damage that such spoofing can do to them. But in the end it all goes back to the trust and complacency in some encountering the drive for profit and advantage in others. It, therefore, seems that as long as human nature remains the way it is, spoofing will have a robust future.