Domain spoofing is a phishing technique in which an attacker uses a company’s domain to act as the legitimate entity, the business or its employees.
Attackers disguise themselves as another person, organization, or entity to perform malicious activities using a variety of tactics.
It can be as simple as spoofing email addresses, websites, or phone numbers to advanced spoofing methods including spoofed IP addresses or Domain Name Servers (DNS), to convince victims into giving confidential information, downloading attachments, or baiting them into clicking links that install malware. Cybercriminals choose to spoof the most familiar or popular email addresses, websites, and other online entities. This reduces the level of doubt and reluctance, making it possible to take advantage of the human nature of trust. The term domain spoofing is used for several types of fraudulent activities:
Spoofing the domain by using an email address with the recipient’s domain name as the sender address.
Attackers may use a visually similar domain name, sometimes called HTTPS spoofing or an IDN homograph attack.
Email spoofing is a technique in which an attacker uses a fake email address with the domain of a legitimate website.
Domain verification is not built into the Simple Mail Transfer Protocol (SMTP), the protocol that email is built on, thus making it vulnerable. Email security protocols that were developed more recently such as SPF, DKIM and DMARC etc provide stronger verification.
There are lots of ways to mask the true origins of an email.
Most people know that it’s a risk to download files or click on links that appear in emails from unknown senders. But the email will be convincing enough to make the receiver take action without a second thought.
The use of subdomains in a different way can make emails look like they are arriving from trusted sources.
Depending on the email spoofing technique, an attacker sends an email, with the email address and sender name that looks like it came from a familiar party, such as a government agency, colleague, or a bank.
Additionally, the attacker may grab multiple identities or roles in spoofing, that of the sender, the company, or both of them. For example, Acme is a multinational company. One fine day, Patrick, an employee at Acme receives an email and the sender’s name is firstname.lastname@example.org. In a big multinational company, it is difficult to find out whether John is an actual person or not. Trusting that John is his colleague at Acme, Patrick does the legitimate work-related tasks that require immediate action. Using a familiar domain name and company logo, John, who doesn’t work at Acme, was able to trick Patrick into doing some malicious activity that was beneficial for him.
The spoofed email uses important and convincing language to prompt the receiver to make a quick reaction. This way – it limits the chance for hesitation and questioning and convinces the recipient to do the task as the right thing.
Inspect the email - Misplaced letters, spelling errors or an incorrect domain name in the sender’s email address indicate a spoofed email.
Source of email - Unexpected requests and warnings are often from scammers.
Nature of the email - Email language that urges you to act quickly, initiate financial transactions or provide confidential information.
Structure of email - For embedded links, highlight the URL before clicking to double-check the legitimacy.
Check for download file or link - Be vigilant against email messages that urge you to download an attachment. Also, verify that the attachment is not a hidden executable file.
Website spoofing uses fake websites that look legitimate. A popular technique used is URL masking.
A spoofed website looks exactly like the real website with almost the same visual elements like layout, colour, logo etc. Without a very close and thorough inspection, it’s very difficult to identify a spoofed website.
Spoofed websites are mainly used for stealing credentials or some sensitive information like credit card information, installing malicious software, etc.
Phishing techniques like URL cloaking are the most used methods for spoofed websites. Using specialized scripts, phishers can use the URL of trusted organizations to disguise malicious URLs, which may appear to be in the right format and are trusted without any suspicion.
To spoof a website, attackers can use Unicode characters or the characters from other languages that are almost exactly the same as ASCII characters.
Check for padlock - The lock icon (padlock) displayed in the browser indicates that the communication channel between the client browser and the server is secure. So if the padlock is missing from the website address bar, the website is not secure and it is likely spoofed.
Check with autofill - To protect against automatically logging into a spoofed website, use a password manager to store login details of the website. The password manager will not autofill your login details unless it recognizes the website.
Inspect the website - Misplaced letters, spelling errors, broken links, can all be indicators that the website has been spoofed.
SSL certificates - An SSL certificate is a text file that identifies a website and aids in encrypting traffic to and from the website. The certificate authority will verify the right of the applicant to use a specific domain name. Almost all legitimate websites will have an SSL certificate.
But spoofed websites may also have a real SSL certificate – but the certificate will be for the spoofed domain name, not for the actual domain name.
Bookmarks - Keep an in-browser bookmark of each legitimate website, which can be used to save a website’s URL for future reference. Instead of following a link or typing the URL, by clicking on the bookmark, it ensures the legitimate URL loads whenever accessing it.
SPF, DKIM and DMARC records - There is no direct method to prevent domain spoofing in email, but companies can enhance verification by using protocols like DMARC, DKIM, SPF etc. But external parties can still send fake emails since they are not aligned with these protocols.
Sender Policy Framework (SPF) SPF is a protocol designed to communicate which servers or IP addresses are allowed to send mail from a particular domain.
Domain Keys Identified Mail (DKIM) apply a digital signature to email headers for all outgoing messages on a domain. This allows recipients’ mail servers to detect whether messages are coming from that domain or from one of its legitimate users or if the sender’s information has been faked, thus it lets the organization take responsibility for a message that is in transit.
Domain-Based Message Authentication, Reporting, and Conformance (DMARC) is a protocol that informs email recipients that emails having both SPF and DKIM protocols passed or at least one of them aligned to help them determine whether their messages are legitimate. If the authentication passes, the email is considered as legitimate and if the authentication fails, it tells the recipient to reject or discard the message.
The most crucial protective mechanism is to educate employees and conduct training sessions with mock scenarios.
In today’s world, it’s almost inevitable to not be fooled by attackers with domain spoofing attacks. Attackers are getting smarter by the day and the majority of organizations will experience a domain spoofing attack especially with the workforce being remote.
Therefore, finding the right solutions to protect against the possibility of an attack is necessary for any person or business.