Spoofing is the act of disguising a communication or identity so that it appears to be associated with a trusted, authorized source. Spoofing attacks can take many forms, from the common email spoofing attacks that are deployed in phishing campaigns to caller ID spoofing attacks that are often used to commit fraud. 攻击者也可能瞄准组织网络中更多的技术元素, such as an IP address, domain name system (DNS) server, or Address Resolution Protocol (ARP) service, as part of a spoofing attack.
Spoofing attacks typically take advantage of trusted relationships by impersonating a person or organization that the victim knows. In some cases—such as whale phishing attacks that feature email spoofing or website spoofing—these messages may even be personalized to the victim in order to convince that person that the communication is legitimate. 如果用户不知道互联网通信是可以伪造的, 它们特别容易成为欺骗攻击的牺牲品.
成功的欺骗攻击可能会产生严重的后果. 攻击者可能会窃取敏感的个人或公司信息, 收集凭据,以便在将来的攻击或欺诈尝试中使用, spread malware 通过恶意链接或附件,获得未经授权 network access 通过利用信任关系,或绕过访问控制. They may even launch a denial-of-service (DoS) attack or a man-in-the-middle (MITM) attack.
What does this mean in business terms? 一旦欺骗攻击成功地欺骗了受害者,组织可能会受到 ransomware attack 或者经历一次代价高昂且具有破坏性的数据泄露. Business email compromise (BEC), in which an attacker impersonates a manager and tricks an employee into sending money into an account that is actually owned by a hacker, is another common spoofing attack.
Or, the business could find that its website is spreading malware or stealing private information. Ultimately, the company could face legal repercussions, suffer damage to its reputation, and lose the confidence of its customers. For these reasons, it’s wise to learn about the kinds of spoofing attacks that are in use today as well as how to detect and prevent them.
In an IP spoofing attack, 攻击者会从一个伪造的IP地址发送IP数据包,以隐藏其真实身份. Attackers most often use IP address spoofing attacks in DoS attacks that overwhelm their target with network traffic. In such an attack, 恶意行为者将使用欺骗的IP地址向多个网络接收者发送数据包.
然后,真实IP地址的所有者会收到大量的响应, 网络服务可能会中断. An attacker may also spoof a computer or device’s IP address in an attempt to gain access to a network that authenticates users or devices based on their IP address.
欺骗攻击也可以以电话的形式出现. In a caller ID spoofing attack, a scammer makes it appear as if their call is coming from a number the victim knows and trusts or, alternatively, 与特定地理位置相关联的数字. A caller ID spoofer may even use a number that has the same area code and the first few digits as the victim’s phone number, 希望他们看到一个熟悉的号码就会接电话. This practice is known as neighbor spoofing.
如果来电显示欺骗的受害者接听电话, the scammer on the other end of the line may impersonate a loan officer or other representative of an official-seeming institution. The fake representative will then often try to persuade the victim to give up sensitive information that can be used to commit fraud or perpetrate other attacks.
电子邮件欺骗包括使用虚假的发件人地址发送电子邮件. 攻击者经常在社交工程中使用电子邮件地址欺骗 phishing attacks hoping to deceive their victims into believing an email is legitimate by pretending that it came from a trusted source. If the attacker is able to trick their victims into clicking on a malicious link within the email, they can steal their login credentials, financial information, or corporate data. 涉及电子邮件欺骗的网络钓鱼攻击也可能用恶意软件或软件感染受害者的计算机, 在商业电子邮件泄露(BEC)诈骗等情况下, 试图欺骗受害者发起资金转移. Variants of phishing such as spear phishing or whaling may be carefully tailored to specific individuals within the company and tend to have a higher success rate.
In a website spoofing attack, a scammer will attempt to make a malicious website look exactly like a legitimate one that the victim knows and trusts. 网站欺骗通常与网络钓鱼攻击有关. 当受害者点击网络钓鱼邮件中的链接时, 例如,这个链接可能会把他们带到一个看起来和他们使用的网站一模一样的网站, the login page to a banking site. From there, the victim will see exactly the same logo, branding, and user interface they would expect. 当他们提供登录凭据或其他个人信息时, however, the spoofed website will quietly harvest that information for use in an attack or fraud attempt.
Address Resolution Protocol (ARP) resolves an IP address to its physical Media Access Control (MAC) address for the purpose of transmitting data across a Local Area Network (LAN). In an ARP spoofing attack, a malicious actor sends spoofed ARP messages across a local area network for the purposes of linking their own MAC address with a legitimate IP address. That way, the attacker can steal or modify data that was meant for the owner of that IP address.
An attacker wishing to pose as a legitimate host could also respond to requests they should not be able to respond to using their own MAC address. With some precisely placed packets, an attacker can sniff the private traffic between two hosts. 可以从交通中提取有价值的信息, such as exchange of session tokens, 产生对应用程序帐户的完全访问权限,而攻击者不应该能够访问这些帐户. ARP欺骗有时被用于MITM攻击、DoS攻击和会话劫持.
在局域网中,ARP以同样的方式将IP地址解析为MAC地址, DNS (Domain Name System)将域名解析为IP地址. When conducting a DNS spoofing attack, an attacker attempts to introduce corrupt DNS cache information to a host in order to impersonate that host’s domain name—for example, www.onlinebanking.com. 一旦该域名被成功欺骗, 然后,攻击者可以使用它来欺骗受害者或获得对另一台主机的未经授权的访问.
DNS spoofing can be used for a MITM attack in which a victim inadvertently sends sensitive information to a malicious host, 认为他们正在把信息发送给一个可信的来源. 或者,受害者可能会被重定向到包含恶意软件的网站. An attacker who has already successfully spoofed an IP address could have a much easier time spoofing DNS simply by resolving the IP address of a DNS server to the attacker’s own IP address.
The best way to prevent a spoofing attack, on the user education side of things, 是留意你被欺骗的迹象. For example, 使用电子邮件欺骗的网络钓鱼攻击可能具有不寻常的语法, poor spelling, or awkward language. The message contained may be urgent in nature, 旨在引起恐慌,让你立即采取行动.
You may also notice, upon further inspection, that the sender’s email address is off by one letter or that the URL featured within the message has a slightly different spelling than it should. A best-in-class incident detection and response solution can protect your organization even further by proactively notifying you in the event that anomalous user activity is detected.
如果您怀疑收到了欺骗的信息, whether it has arrived via email, text, or another channel, 不要点击邮件中的任何链接或附件. To verify that the message is accurate, 用你自己找到的联系方式联系发件人. 不要使用邮件中可能出现的任何电话号码或其他地址, 因为它们可能只是将您与攻击者联系起来. Likewise, 如果消息要求您登录一个帐户, don’t click on the link provided but instead open up a separate tab or window in your browser and log in as you normally would.
智能安全工具也可以帮助您防止欺骗攻击. 例如,垃圾邮件过滤器将阻止大多数网络钓鱼邮件到达您的收件箱. Some organizations and even some network carriers use similar software to block spam calls from reaching users’ phones. Spoofing detection software may provide additional protection against some of the kinds of spoofing attacks mentioned above, 增强你的能力,在他们有机会造成任何伤害之前发现并阻止他们.
某些最佳实践还可以减少成为欺骗攻击的牺牲品的机会. 尽可能避免依赖网络中的信任关系进行身份验证. 否则,攻击者可以利用这些关系进行成功的欺骗攻击. Packet filtering can prevent an IP spoofing attack since it is able to filter out and block packets that contain conflicting source address information. Using cryptographic network protocols such as HTTP Secure (HTTPS) and Secure Shell (SSH) can add another layer of protection to your environment.