This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
It is also creates fake responses or signals in order to kepp the session active and prevent timeouts.
It captures, alters, re-transmitts a communication stream in way that misleads the recipient.
As used by hackers, it refers especially to the tcp/ip packets of addresses in order to masquerade a trusted machine.
The term spoofing has become very widespread. Spoofing also means, stealing passwords and personal information from the internet.
The word 'spoof' was introduced to the world by the British comedian Arthur Roberts in 1852.In the 19th century, Arthur Roberts invented the game ''spoof" and thus the name.
This game involved the use of tricks and non-sense. The first recorded reference to this game in 1884 refers to its revival. Very soon the word spoof took on the general sense of nonsense and trickery.
The word spoof was first recorded in 1889.
There are several applications of spoofing. Out of which a few of them are technically related and some are literally related. We take into account some of the technical applications.
Types of Spoofing covered are as follows:
1. E-Mail Spoofing
2. Caller ID Spoofing
3. SMS Spoofing
4. Website Spoofing
5. DLL Spoofing
Spam and e-mail-laden viruses take a lot of the fun and utility out of electronic communications, but at least we can trust e-mail that comes from people we know - except when we can't. this is considered to be one of the favourite technique of spammers and other "bad guys" is to "spoof" their return e-mail addresses, making it look as if the mail came from someone else. In effect, this is a form of identity theft, as the person who sends the email acts to be someone else in order to distract the recipient to do something. In this article, we look at how e-mail spoofing works and what can be done about it.
The objective of spoofed mail is to hide the real identity of the sender. This can be done because the Simple Mail Transfer Protocol (SMTP) does not require authentication (unlike some other, more secure protocols). A sender can use a fictitious return address or a valid address that belongs to someone else.
Receiving mail from spoofed addresses ranges from annoying to dangerous. Having your own address spoofed can be even worse. If a spammer uses your address as the return address, you may suddenly find yourself inundated with angry complaints from recipients or even have your address added to "spammer" lists that results in your mail being banned from many servers.
REASONS FOR EMAIL SPOOFING:
1. This is spam and the person who sends doesn't want to be subjected to anti-spam laws
2. The e-mail constitutes threatening or harassing or some other violation of laws.
3. The e-mail contains a virus or Trojan and the sender believes you are more likely to open it if it appears to be from someone you know
4. The e-mail requests information that you might be willing to give to the person the sender is pretending to be, as part of a "social engineering" attack
5. The sender is attempting to cause trouble for someone by pretending to be that person.
Phishing" is the practice of attempting to obtain users' credit card or online banking information, often incorporates e-mail spoofing. For example, a "phisher" may send e-mail that looks as if it comes from the bank's or credit cards administrative department, asking the user to log onto a Web page and enter passwords, account numbers, and other personal information. Thereby obtaining the users confidential information.
WORKING OF EMAIL SPOOFING
This is the most easily detected form, in e-mail spoofing it simply sets the display name or "from" field of outgoing messages to show a name or address other than the actual one from which the message is sent. Most POP e-mail clients allow you to change the text displayed in this field to whatever you want. For example, when you set up a mail account in Outlook Express, you are asked to enter a display name, which can be anything you want, as shown in Figure 1.
Fig 1: Setting the display name in your e-mail client
The name that we set will be displayed in the recipient's mail program as the person from whom the mail was sent. We can type anything you like in the field on the following page that asks for your e-mail address. These fields are separate from the field where you enter your account name assigned to you by your ISP.
Figure 2 shows what the recipient sees in the "From" field of an e-mail client such as Outlook.
Fig 2: The recipient sees whatever information you entered
When this simplistic method is used, you can tell where the mail originated (for example that it did not come from thewhitehouse.com) by checking the actual mail headers. Many e-mail clients don't show these by default. In Outlook, open the message and then click View | Options to see the headers, as shown in Figure 3.
Fig 3: Viewing the e-mail headers
In this example, you can see that the message actually originated from a computer named XDREAM and was sent from the mail.augustmail.com SMTP server.
Unfortunately, even the headers don't always tell you the truth about where the message came from. Spammers and other spoolers often use open relays to send their bogus or malicious messages. An open relay is an SMTP server that is not correctly configured and so allows third-parties to send e-mail through it that is not sent from nor to a local user. In that case, the "Received from" field in the header only points you to the SMTP server that was victimized.
SOLUTIONS FOR EMAIL SPOOFING:
Although legislation may help to deter some spoofing, most agree that it is a technological problem that requires a technological solution. One way to control spoofing is to use a mechanism that will authenticate or verify the origins of each e-mail message.
The Sender Policy Framework (SPF) is an emerging standard by which the owners of domains identify their outgoing mail servers in DNS, and then SMTP servers can check the addresses in the mail headers against that information to determine whether a message contains a spoofed address.
The downside is that mail system administrators have to take specific action to publish SPF records for their domains. Users need to implement Simple Authentication and Security Layer (SASL) SMTP for sending mail. Once this is accomplished, administrators can set their domains so that unauthenticated mail sent from them will fail, and the domain's name can't be forged.
Caller id spoofing
Caller ID Spoofing: This is a type of spoofing technique associated with changing the Caller ID to show any desired unidentifiable number on the recipients caller id display.
Caller id spoofing is a way of calling someone without them knowing who actually the person is, by hiding the phone number from their caller id.
It can also be explained as the practice of causing the telephone network to display a number on the recipient's Caller id display which is not that of the actual originating station. Just as e-mail spoofing can make it appear that a message came from any e-mail address the sender chooses, Caller ID spoofing can make a call appear to have come from any phone number the caller wishes. Because of the high trust people tend to have in the Caller ID system; spoofing can call the system's value into question hence creating problems for various parties associated with it.
NAMES OF COMPANIES THAT PROVIDE THE CALLER ID SPOOFING FEATURE:
WAY TO MAKE TEXT DISPLAY ON CALLER ID DISPLAY:
With the help of the Spoof Card, Stealth Card, TeleSpoof and many more we can make the text show up on the caller id display instead of number. We have to choose some text from the huge list of funny vanity caller id text phrases and that text will be displayed as our phone number..
CALLER ID SPOOFING CAN BE USED IN MANY WAYS:
Doctor needing to disguise home number
Worried spouse wanting to find the truth
Calling back an unknown number
Responding to classified ads
Hiding your location
PROCEDURE FOR CARRYING OUT CALLER ID SPOOFING:
Caller ID is spoofed through a variety of methods and different technology. The most popular ways of spoofing Caller ID are through the use of VoIP or PRI lines.
Another method is that of coping the Bell 202 FSK signal. This method, called orange boxing, uses software that generates the audio signal which is then coupled to the telephone line during the call. The object is to deceive the called party into thinking that there is an incoming call waiting call from the spoofed number, when in fact there is no new incoming call. This technique often also involves an accomplice who may provide a secondary voice to complete the illusion of a call-waiting call. Because the orange box cannot truly spoof incoming caller ID prior to answer and relies to a certain extent on the guile of the caller, it is considered as much a social engineering technique as a technical hack.
The possible reasons for caller ID spoofing:
Sometimes, caller-id spoofing may be justified. There are legitimate reasons for modifying the caller ID sent with a call. These can be the possible places where caller-ids are spoofed:
Calls that come from a large organization or company, particularly those companies that have many branches, sending the main number is a good option. Consider this example. A hospital might have the primary number 777-2000, and around 250 lines functioning inside the main building, and another 200 at the clinic that is located around 50 miles away. I t may happen that most of the numbers will be in the form of 777-200XX, but it might also happen that many of them have an unrelated and unidentifiable numbers. Therefore if we have all calls come from 777-2000, it lets the call recipients identify that the incoming call is a hospital call.
There are certain commercial answering-service companies which use caller-id spoofing. They basically forward calls back out to a subscriber's mobile phone, when both parties would obviously prefer the Caller ID to display the original caller's information.
Most of the calling-card companies display Caller IDs of the calling-card user to the call recipients.
Many Business owners and dealers use Caller ID spoofing to display their business number on the Caller ID display when they are calling from a place outside the office premises (for example, on a mobile phone).
Skype users have an option of assigning a Caller ID number for preventing their outgoing calls from being screened by the called party (Skype Caller ID in the USA is 000123456).
Google application - Google Voice displays its users' Google Voice number when the users make calls from the service using their landline numbers or mobile phones.
Gizmo5 sends the user's Gizmo5 SIP number as outbound Caller ID on all calls. Because Gizmo5 IDs are in the format 747NXXXXXX, it is possible to confuse calls made from Gizmo5 with calls made from area code 747.
SMS Spoofing allows you to change the name or number of the text messages a recipient would appear to receive.
It replaces the number from which the text message is received with alphanumeric text.
This type of spoofing has both legitimate and illegitimate applications. The legitimate manner would be setting your name or company name or the product name for or from which the text message is sent.
So thereby the text message received will display the name or the company name or the product name and the purpose in the case for e.g. a product (publicising it) would thus be served.
The illegitimate way would be when a person or a company would use the name of some other person or name or a product with the intentions of causing losses to the concerned.
When is it required?
SMS Spoofing takes place when the user from sending end changes the address information so as to conceal the original address from reaching the user at the receiver end.
It is done mostly to impersonate a user who has roamed onto a foreign network, needs to be submitting messages to the home network.
Generally these messages are addressed to destinations that are beyond the range of home network - with the home SMSC(short messaging service centre) being "hijacked" hence causing messages to be sent to other network
Following are the impacts of this activity:
--Due to the hijacking of the home SMSC, The home network can bring in termination charges caused by the delivery of these messages to interconnect partners. This is termed as quantifiable revenue leakage.
These messages can be of concern to the partners involved.
--It is possible that it comes under the notice of the customer that he is spammed and the message sent maybe of personal, financial or political importance to the concerned person.
Therefore, there is a risk that the interconnect partners might threaten to stop the home network from functioning until and unless a suitable remedy is found and properly implemented..
Hence, the consequence of this would be that the 'Home subscribers' will be unable to send messages into these networks.
--While fraudsters generally use spoofed-identities to send messages, there is a risk that these identities may match those of real home subscribers.
This implies, that genuine subscribers may be billed for roaming messages they did not send.
and if this situation does arise, the integrity of the home operator's billing will be under scrutiny, with potentially huge impact on the brand itself. This is a major churn risk.
The legitimate uses for SMS spoofing are:
A person sends a SMS message from an online computer network for lower more competitive pricing, and for the ease of data entry from a full size console. They must spoof their own number in order to properly identify themselves.
A sender does not have a mobile phone, and they need to send an SMS from a number that they have provided the receiver in advance as a means to activate an account.
THREATS OF SMS SPOOFING:
An SMS Spoofing attack is often first detected by an increase in the number of SMS errors encountered during a bill-run. These errors are caused by the spoofed subscriber identities. Operators can respond by blocking different source addresses in their Gateway-MSCs, but fraudsters can change addresses easily to by-pass these measures. If fraudsters move to using source addresses at a major interconnect partner, it may become unfeasible to block these addresses, due to the potential impact on normal interconnect services.
SMS Spoofing is a serious threat to mobile operators on several fronts:
1. Mischarging subscribers.
2. Being charged interconnect fees by the hubs.
3. Blocking legitimate traffic in an effort to stop the spoofing.
4. Assigning highly trained and scarce resources to tackle the problem
EXAMPLES OF SMS SPOOFING:
Messages sent from Google are sent with the Sender ID "Google".
Skype sends messages from its users with the mobile number they registered with. Note that when a user attempts to "reply" to the SMS, the local system may or may not allow the replying message to be sent through to the spoofed "origin."
A user who does not have a mobile phone attempts to sign up for a Foxy tag account, which requires an SMS from a phone number that the user registers with. A dynamically assigned number from an anonymous SMS service will not work because the user is not given the dynamic number in advance to register with.
The Asian School of Cyber Laws recently conducted experiments in SMS spoofing at the national and international level. They were able to successfully spoof SMS messages and make them appear to come from other people's cellular phones. These people were using GSM based cellular phone services in various parts of India and other Asian as well as African countries.
Nitesh Dhanjani discovered a security vulnerability when sending a spoofed SMS message to twitter. Twitter used the SMS originator to authenticate the user. Nitesh used hoax Mail to spoof the SMS message and therefore could trick Twitter to post the message on the victims Twitter page
Website spoofing is a type of spoofing which creates a website or web pages that are basically run with the intention to mislead users into believing that the particular website is created by a different group or a different person.
Another form of website spoofing is creating false or fake websites that generally have the same appearance and layout as the original website and tricking people into sharing their personal or confidential information with the false
The fake websites can have a similar URL as well. Another technique associated with false URL is the use of 'Cloaked' URL.This technique uses methods of domain redirection or URL forwarding which convincingly hides the
address of the actual website.
Website spoofing is often associated with 'Phishing'.It can also be carried out with the intention of criticizing or making fun of the original website or the website developer or fraud as well.
So we can say that web spoofing basically enables an attacker/spoofer to create a "shadow copy" of the entire World Wide Web.
Accesses to this fake Web are monitored through the attacker's system, which helps the attacker to keep a watch on all of the victim's web-activities. These activities include passwords and personal information (bank account numbers).
It can also happen that in the victim's name, the attacker sends certain information to the web servers or send any kind of information to the victim in the name of any Web server. Basically, the spoofer controls everything
the victim does on the Web.
As the spoofer or the attacker has complete control(observing capability as well as modifying capability) over any data that is transmitting from the victim to the web servers and also all the data transactions from the servers to the victim
, the attacker can misuse this in many ways.
Some of the misusing ways are surveillance and tampering.
The attacker can conveniently spy on the traffic, registering which pages and sites the victim visits or surfs as well as the content of those pages.
For example, when the victim fills out a particular form on a particular site, the entered details are transmitted to a server. The attacker can record all these details, along with the response sent back by the server.
And as we know, most of the on-line commerce is done using forms, this information can also give the attacker -the account passwords and other valuable data of the victim. This is highly dangerous.
Surveillance can be carried out by the spoofer even if the victim has a so called "secure" connection to the web-server. So basically, even if the victim's browser shows the secure-connection icon (usually an image of a lock or a key)
it can be possible that the attacker is still successful in his 'Surveillance'.
Surveillance is basically just observing and registering confidential data of the victim.
The spoofer can also MODIFY any of the data that may be travelling in either direction between the victim and the servers. This is called 'Tampering'. If there are any forms submitted by the victim to the web servers, the attacker can bring
about changes in the data entered. For example, if a person is purchasing a certain product on-line, the spoofer can change the product details, product number, shipping address etc.
The attacker can also change the data returned by a Web server, for example by inserting misleading or offensive material to trick the victim or to cause problems between the victim and the server.
Using The Whole Web:
It is not really difficult to spoof the entire World Wide Web, even though it might seem to be difficult. The attacker does not really have to store all the contents of the Web.
The Web in its entirety is available on-line; so the spoofer's server just has to fetch the required page or pages from the real Web whenever it needs to provide a copy of that page on the false Web.
Working of the attack:
For this attack to work, the main duty of the attacker is to sit between the victim and the rest of the Web. This arrangement of sitting between the victim and the web is called a "man in the middle attack".
One of the most frequently used method for web spoofing is URL Rewriting.
The first thing that the attacker has to do is rewrite all of the URLs on some Web page so that the URLs end up pointing at the attackers server, instead of the original one. For example, if the attacker's server is on the machine
http://www.webspoofer.co.cc, the attacker rewrites a particular URL by adding http://www.webspoofer.co.cc to the front of the URL. For example: http://www.bankindia.com can be made into
Then what happens is that the victim's browser requests the page from http://www.webspoofer.co.cc, since the URL starts with http://www.webspoofer.co.cc. The rest of the URL directs the spoofer's server to the required original page.
Once the attacker fetches the real document, the attacker rewrites all of the URLs in the document into the same special form by same spoofing technique.
Then the attacker's server provides the rewritten page to the victim's browser. This is how URL rewritng is used for spoofing.
Web spoofing is one of the most dangerous and undetectable security attack that can be carried out in the web-world today. But of course, there are certain preventive measures that can be taken:
These are the steps to follow for short term protection:
b) Your browser's location line should always be visible;
c) Observe URLs displayed on your browser's location line, and make sure that the URLs always point to the server you think you're connected to.
There is no fully satisfactory long-term solution to this problem. But few things that can be done:
a) Changing browsers can help, so they always display the location line. But the users have to know how to recognise the correct URLs.
b) Using improved Secured-connection indicators.
What is a DLL?
Dynamic Link Libraries or DLL are software object modules, or libraries, linked into a program while it is running.
DLL's are features that allows programs to share common codes so as to help developers to make programs easily and efficiently.
DLL's are extensively used in newer versions of Windows including Windows XP.
What is DLL spoofing?
DLL code runs in the context of its host program, it inherits the full capabilities of the program's user with spoofing. The DLL spoof causes a legitimate program to load a DLL with a Trojan Horse instead of legitimate DLL.
DLL spoofing can occur even if the legitimate DLL is beyond the attackers reach. Since when a program loads DLL's it searches through a sequence of directories looking for the required DLL. Spoofing occurs when the attacker succeeds in inserting the infected DLL-file in one of those directory in such a way that program finds it before it finds the legitimate DLL of the same name. Hence even if the file is write-protected or the attacker doesn't have access to the directory which contains the legitimate DLL then also he can attack the program.
Whenever a user runs a program there occurs a linking algorithm which is used to find the file that holds the DLL. Usually it is the one with DLL suffix.
Linking algorithm searches through three different categories:
Program's directory: It is the directory which holds program's executable file.
System directory: Contains a series of enteries.
Working directory: It is the working directory of the process.
As we have discussed earlier to spoof the user only needs to insert an infected or malicious DLL file into the working directory. If the infected DLL file has the same name as the legitimate DLL then the algorithm will link the fake DLL file to the otherwise trusted program. The infected DLL can then create a new process. It runs in the full capabilities of the user who runs the, it perform the task and request the original DLL file as asked by the user so as not to arouse suspicion. With the help of fake DLL the attacker can now do the whatever task he want which is under the capabilities of the fake DLL.
Among the three above mentioned directories, the program directory and the system directory are most vulnerable as the location is predefined. But in the case of working directory this task is hard to perform as the directory is set by the program only and hence its directory is unknown to the user.
How does the attack work in practical life?
This is where the social engineering skills comes into play. The attacker tries to convince the user to open a simple file. This simple file can be a image too and can be located at any remote place like "http://".
Now the victim(in this case our user) tries to open that file(in this case the image) through a preinstalled software on his machine like a image viewer. Now this image viewer is vulnerable by the binary planting attack.
Now the image viewer may require a DLL file to load dynamically. As the full path name gas not been specified before hand, image viewer will give instructions to Microsoft Windows to search for the required DLL file in a particular order.
Directories in order:
The system directory
The 16-bit system directory
Directories which are listed in PATH environment variables
Usually "Current directory" is the directory in which the image viewer file is stored.
Now the attacker has control over one of the directories which windows searches for, and hence he will be able to place a malicious copy of the dll in that directory.
In such a case the application will load and run the malicious DLL without verification. And now the attacker has gained full control of the affected machine, and now he will be able to perform all the unwanted actions on the machine such as hack into the existing account, create a new account, access important files on specific directories and more.
In such a case web securities like firewall has become an essential instrument to block and prevent the downloading of such malicious files from a remote network location.
The easiest and the most obvious targets for DLL spoofing are the machines running on windows. As here the registry has not been properly updated with a safe-search order for loading DLL's. The safe-search order is not an issue for the PCs running on XP as there are few infectious program and registries which point to fake DLL's or the DLL's which do not even exist. Such program or entries are the real cause of spoofing in the case of XP. Trojans, web caches and email are some of the ways in which codes are placed in the file system. Since obviously having a misconfigured programs or the search path does not mean that the machine will start running malicious code.
As we know this breach is more harmful then the DLL spoof as ordinary user can easily place malicious file in the current folder like in 'Shared Documents'. So when another user with privileged rights opens the document in the same directory, then this directory will become the 'Current Directory' for the machine it will search for the DLL's before the system directory and hence allowing the ordinary user to operate the machine with privileged rights.
Now one may ask that simply placing the
DLL in the shared directory or a web cache will not allow it to be loaded, for the DLL's to be loaded they must be kept in either of system directory, the application directory or a path provided by the application that tries to load the DLL.
So the answer is that being able to write to system and application file space already implies administrator privileges so there would be no need for DLL spoofing.
Hence it arises the need of online security against the spoofing and accessing to administrator privileges.