The term “spoof” refers to the impersonation of an identity: a person, an application or a device. And a simple online search is enough to realize how annoying spoofing can be, between current accounts emptied with the unwitting complicity of the victims and banking institutions sentenced to compensate them – even if only partially – if the defenses put in place are not judged sufficient. Article 10 of Legislative Decree 11/2010, taken up in Legislative Decree 218/2017, establishes that, if the customer of an intermediary (in this case a credit institution) denies having ordered a transaction, it is up to the service provider of payment the burden of demonstrating that the authentication has taken place correctly.
The ways of spoofing are different and hackers use emails, phone calls or text messages as vehicles that are presumed to come from people known to the victim and, instead, contain or constitute a threat.
There are many types of spoofing and here, instead of focusing on the techniques used by hackers, we focus on on the defenses that can be adopted by companies.
What is spoofing
Spoofing includes a wide range of techniques by which a hacker manages to get hold of someone else’s username and password for profit. The forgery of IP addresses and the sending of harmful files that are disguised so that they do not look like threats also fall into the same category. The term spoofing has many derivations, so much so that, for the past decade, hackers have also relied on what is called “Caller Id spoofing”, i.e. they manage to call the designated victim by making a call number appear on the display of his phone which seems legit. Thus, for example, the victim may believe that he is talking to a bank employee where he has opened a current account, while the phone call comes from a completely different place and was made by a criminal.
Examples of spoofing
One of the most famous cases dates back to 2018, when the GitHub software project hosting platform was brought to its knees by what remains in memory as one of the most impressive DDoS attacks.
There are even more striking examples. In 2015, Europol thwarted a continental attack by which a group of hackers was intercepting payment requests between some companies and their customers, attempting to divert transfers to current accounts to which they had access.
The list of attacks of this type is long, but it should be considered that the user becomes a means to penetrate an organization, typically a credit institution. Drawing from current events, cases in which a fake bank employee (who is actually a hacker) convince his victim to carry out operations on his bank account are not uncommon – usually following a “sudden and very serious” event ” to lead to the blocking of the account itself – thus obtaining the access credentials and codes necessary to carry out a theft, managing to divert and divert funds.
How to fix DNS spoofing
One of the most used techniques is the DNS spoofing, which is based on multiple actions in sequence. To evaluate the feasible defenses we made use of the opinion of Marco Ramilli, founder and CEO of Yoroi, a security company with offices throughout Italy. “One of the main ways to counter this is to make sure the referring nameserver is authenticated or doesn’t change often. In fact, there are some techniques (of the Man in the Middle type) which allow the attacker to replace the response server with his own or to anticipate a response from the authoritative DNS server with a specially created response”.
Let’s explain those terms that may be unclear to the less accustomed: a Man in the Middle attack occurs by altering the communication of agents who believe they are communicating directly with each other. Thus, by declining this definition to DNS spoofing, a cybercriminal can divert access requests to a fake site to another one, in order to acquire sensitive user data, typically credentials and access codes. DNS is a service that translates web addresses into IP addresses (for example google.com at 14.251.163.101) and who he can modify them he can route users where he wants.
To address this problem, explains Ramilli, there are different techniques, one of which is the DNSSecwhich certifies each DNS record: “This system solves the problem of DNS spoofing but today it is not yet widely useddue to the significant computational effort required to verify certificates”.
“A valid alternative, continues the CEO of Yoroi, are DoH (DNS over HTTPS) or DoT (DNS over TLS) solutions. These protocols are widely used today when compared to DNSSec and base their principle on the encryption of traffic between the client (i.e. who makes the DNS request) and the server (i.e. who solves, translates the alphanumeric request into IP protocol). In fact, before starting the DNS request, the client and the server activate a secure HTTPS channel, or TLS. After creating this channel, they send the DNS request to obtain the IP addresses necessary for communication. These systems are very effective both in terms of security (avoiding DNS Spoofing or Poisoning) and privacy (preventing a third party from knowing where you are surfing). The main negative effect of this solution is the slowness in resolution. Just think of the composition of the DNS request (and response) which, before activating, involves negotiation (between client and server) of a TLS or HTTPS channel”.
The cost of similar solutions
Considering the deployment of technologies, one would think that implementing such defenses has costs of a certain amount. Ramilli dispels this myth: “Today there are solutions for all budgets. From free, poorly configurable services with variable latencies and low protection against malicious content, but with excellent protection against DNS Spoofing, Poisoning and Eavesdropping attacks, to professional solutions with extensive configuration possibilities, high performance and with extensive malicious content blocking capabilities for a few tens of euros per year per user. There are Open Source tools that can be installed in the company but, like any Open Source tool, hides many costs of maintenance, management and updating to be taken into consideration before its adoption”.
It is not impossible to defend a company from spoofing attacks and there are solutions that can also be tackled by medium-small organizations, both financial and technological point of view: “Speaking of DNS Spoofing, and only this, I believe that using protocols such as DoT is one of the main tips that I can offer. There are a number of platforms that offer a DoT free, some of which are also important and noble organizations present all over the world. Every modern operating system allows its configuration and numerous guides will be able to help the reader in the case of interest”, concludes Ramilli.