The Common Misconception
In this day and age, it’s easy to put in a search term into a search engine and pull up thousands upon thousands of results. Its easy to ;stumble upon the wrong definition- misinformation- for several items, two such items being phishing and spoofing. Both phishing and spoofing are tools used by hackers and social engineers for malicious means. A lot of people, even official news sites, confuse the two terms and sometimes use them interchangeably.
Phishing is the act of trying to trick someone into giving up valuable information to gain something, usually financial. As mentioned in one of my previous articles discussing social engineers, it could be through a variety of methods. A fake e-mail, call, Facebook message, text message, and the like, all to get you to expose your account details, such as your password or account numbers.
Spoofing is the act of creating a fake persona to make a person do something they normally wouldn’t do. Would you intentionally download a virus? Intentionally send your friend a link to malware? Probably not. A malicious hacker would spoof their e-mail address to look like an official address and send an e-mail with a link for users to click. When a user clicks the link, the malware or a virus is installed automatically.
Phishing may, at times, require spoofing to trick the user into giving up information but spoofing does not necessarily result in phishing someone’s account.
The best way to understand attacks, so that you can protect yourself, is to understand exactly how they’re used.
Phishing is used to get you to give up valuable (or at times invaluable) information about yourself. They would use spoofing to create a fake e-mail.
A common phishing tactic is to try to get a user’s password. For example, an e-mail could be sent from a bank e-mail address (spoofed), explaining to the user that due to a recent change in processes or a recent security threat that the user must change their password. Included in the e-mail would be a link to a site that mirrors the bank’s regular web page. The fact of the matter is, the web page the user landed on is actually a fake website, created to look exactly like the real thing. The user tries to log into their account, thinking it’s really their account, and gives away their password.
Spoofing is not intended to steal this information but to actually make you do something for them.
A common spoofing tactic is to send an official looking e-mail which has a link inside that contains malicious malware. For example, during holiday seasons, an e-mail could be sent from a greeting card service’s e-mail address (spoofed), with a link that says ‘Your friend sent you a gift card! Click here to see it!’ In some cases, if they’ve already infected a user, they can replace the ‘Your friend’ portion with their actual name! The malware would grab their name from their e-mail account and use it. The minute the link is clicked, the malware installs itself, steals your name from your preferred e-mail account, grabs all your e-mail contacts, and sends e-mails to them, this time with your name on it! And the cycle continues.
The Combined Attack
Since the two attack vectors, phishing and spoofing are so similar, they can actually be combined into one attack.
During tax season a hacker could send an e-mail from an official looking IRS account, once again spoofed. The e-mail would contain a link to download a new tax form that was recently issued. Once a user clicks the link, a virus is downloaded onto the user’s computer. The form may seem official, but like a Trojan horse, the payload has already been delivered.
The virus lies in wait, logging the actions of the user. Once the user puts in certain keywords, such as bank names, credit card names, social network websites, and so forth, it logs the site and the passwords used. Those results are flagged and sent to the hacker. The virus could then gather the user’s e-mail contacts and send a fake e-mail to them as well, containing the virus.
The hacker now has gained information that would be used to phish an account and steal whatever they want to steal. In this example, spoofing was used in conjunction with phishing. Both objectives were met, a virus was sent, downloaded and spread, and a user’s financial data compromised.
Now that the differences between phishing and spoofing have been identified, along with how both can be used, it is time to understand how you can protect yourself.
The best way to protect yourself is to always question. Why would your bank account number, Facebook account, credit card account, etc., lose your password? Most, if not all, organizations have automated backup processes in place for imporant information, whether it be best security practices or legal requirements. There should be no reason that they would ask for your password. If you receive an e-mail linking to their site, don’t click it. Open a new window and go to the source’s site independently; this will help you avoid going to a fake site.
Never download a file from an e-mail unless absolutely necessary. Most people would assume that an attachment from a friend is safe, but as mentioned above, the friend’s computer may have already been compromised. If you receive an attachment from a friend, give them a call, ping them to verify that they did send something. It may seem annoying, but a minor annoyance, is better than a major headache from identity theft. If you receive an attachment from a stranger, delete it, don’t bother opening the e-mail.
Remember, the best way to prevent yourself from being targeting by phishers or spoofers is to be highly proactive. Keep a keen eye on everything.
This post is part of the series: Phishing - Hook, Line and Sinker
Phishing is a constant thorn in security’s side and a constant reminder of how trusting people are, even to anonymous sources. Understand how phishers take advantage by learning their attack techniques and learn how to prevent and protect yourself from being a victim.