Spoofing is a cyberattack technique that tricks users into interacting with malicious IT systems. Cybercriminals disguise malicious assets — like emails, website login pages, or DNS records — to look like genuine ones. Spoofing is commonly used in phishing and social engineering attacks. 

How does spoofing work? 

Spoofing works differently for different IT assets. Any asset that can be disguised or intercepted is vulnerable to spoofing, so there are many different types of attacks. 

Some spoofing attacks are more complex than others. A simple attack might include altering an email sender’s address so it looks like it comes from a reputable company. In a more complex attack, hackers may gain control over an entire mail server and use it to hide their identity. 

In every case, attackers have the same goal. Spoofing a trusted or reputable asset lets them trick users or bypass authentication. By building a lookalike version of the trusted asset, threat actors can manipulate people and systems into doing their bidding. 

Types of spoofing attacks 

Cybercriminals use a variety of spoofing attacks to gain access to their victims’ networks. They may use multiple spoofing attacks at once to increase their chances of success. The more communication channels a threat actor controls, the harder it is to independently verify those channels with the real organization being spoofed. 

1. Email spoofing 

Email spoofing is one of the most common types of attacks. Threat actors have many ways to disguise themselves as a familiar or trustworthy contact by email. 

Altering the “From” field is among the simplest types of email spoofing attacks. Registering a look-alike email address using homographs (like replacing “i” with the Turkish letter “ı”) is a bit more complex.  

Adding a malicious IP to an organization’s Sender Policy Framework (SPF) is even more complex. However, that complexity doesn’t stop threat actors from attempting SPF hijacking attacks or exploiting misconfigurations in SPF protocols. 

2. Domain spoofing 

Domain spoofing is another common attack threat actors leverage against their victims. This is when an attacker designs a website to look exactly like an existing one. 

Typically, the spoofed website includes a login page or some other authentication tool. When legitimate users enter their credentials into the spoofed website, that information goes directly to the hackers responsible. 

From there, using those credentials to launch a further attack is simple. Alternatively, hackers may sell the information to other cybercriminals on the Dark Web. Initial access brokers often use Dark Web leak sites to illegally share sensitive data obtained through spoofing. 

3. IP spoofing  

Cybercriminals often use sophisticated tools to alter their IP address, allowing them to bypass firewall restrictions and security policies. This is an important step in conducting a Denial of Service (DoS) attack. Without it, stopping the attack would be as simple as blocking the malicious IP. 

IP spoofing takes advantage of the way the internet works. The TCP/IP internet protocol suite allows senders of data packets to declare a return address for undeliverable packets. Nothing prevents a threat actor from marking the wrong address, causing the packet to get “sent back” to a completely different location. 

In a volumetric DNS amplification attack, hackers send UDP packets from compromised endpoints with spoofed IP addresses to a DNS resolver. The spoofed address points towards the victim’s real IP address, so the DNS resolver responds to each packet request. With enough requests and DNS resolvers, cybercriminals can force large networks to shut down, causing substantial downtime damage. 

4. GPS spoofing 

Devices equipped with Global Positioning System (GPS) features report their location to a GPS satellite. GPS-enabled equipment allows organizations to track shipments, manage supply chains, and observe where users are logging in from. 

To spoof a GPS signal, cybercriminals use a radio transmitter that overrides the signal sent from the target device. The transmitter sends false data to the satellite, causing it to report the device location inaccurately. 

Cybercriminals can use GPS spoofing to disrupt mobile apps and websites that rely on location data. This can disrupt a wide range of processes and technologies, from Internet-of-Things (IoT) sensors to supply chain applications and even satellite clock synchronization. 

5. Address Resolution Protocol (ARP) spoofing 

Every device has its own Media Access Control (MAC) address. The Address Resolution Protocol (ARP) matches IP addresses to MAC addresses, ensuring every device is treated as a unique asset. Cybercriminals can spoof ARP verification to steal or modify data on their victims’ assets. 

To do this, threat actors must link the MAC address of a device they own with a legitimate IP address on a victim’s network. The false ARP convinces the network to send sensitive data to the device controlled by the hacker.  

Once the connection is established, attackers can quietly steal data sent to the rogue device. They might also use it to obtain a legitimate session ID and gain access to accounts the target device’s user is logged into. If they want to launch a DoS attack, they can also direct high-volume traffic to the MAC address of the server they connected to. 

6. Man-in-the-Middle (MitM) attacks 

Man-in-the-Middle (MitM) attacks occur when threat actors intercept secure communications between two users or assets. This lets them steal and modify data traveling between them, and even manipulate victims by impersonating them.  

Spoofing is a useful technique for executing MitM attacks. If a threat actor successfully impersonates a trusted person or organization, they can trick victims into sending sensitive data their way. They can solicit this information in a variety of ways, like telling the victim that they need to urgently change their login credentials.  

Most MitM attacks involve spoofing on some level. Hackers must either impersonate a trusted human user or an IT asset that users rely on. Once they establish a malicious connection, they will look for opportunities to launch the next phase of the attack. 

Protect against spoofing with Lumifi 

Lumifi is a Managed Detection and Response (MDR) provider that offers a wide range of solutions to protect against spoofing attacks. We help IT leaders secure their systems against sophisticated threats and conduct 24/7 alarm monitoring and incident response from our Security Operations Center (SOC). 

Find out how our proprietary SOC automation service ShieldVision™ can help you gain visibility and control over your security posture. Manage spoofing risks more effectively with help from our dedicated team of product experts.