Spoofing and Masquerading

Spoofing and Masquerading

by Scott Alderucci


Spoofing, otherwise known as masquerading, involves the attacker posing as a legitimate network host or application tricking the victim into revealing information. This can involve IP spoofing where an attacker uses someone else's IP address to acquire information or gain access. An attacker can use identity spoofing to trick someone into revealing login information or passwords using fictitious certificates or authorization prompts. Email spoofing is another tactic where an email address is used under false authentication or web spoofing where domains are 'hijacked' or faked. I will also present ways to defend against the many facets of this attack.

IP spoof

One of the many tactics used to attack an individuals information system is a technique know as IP spoofing. IP spoofing is carried out when the attacker sends a message to a computer with an IP address indicating that the message is from a trusted host in order to defeat security measures and authentications. This requires some skill as discovering a trusted IP address and modifying the packet headers to mimic the host pose a challenge. The host is disabled, impersonated, and a connection attempt is made to a service that requires only an address-based authentication [1]. The attacker can then execute a command to leave a backdoor leading to unauthorized access possibly including root access on the targeted system [2]. This kind of attack is considered blind meaning that the identity of the attack is considered a "trusted" host. The targeted system has no idea it under attack. The attacker is then able to freely access data, load viruses, backdoors, or acquire any information located on the system. This kind of attack was used to steal various website domains from their rightful owners. An attacker was able to falsify his authentication to trick an Internet registrar, Network Solutions Inc., into believing he was the owner of a domain name. From there, he was able to alter the ownership information within the domain and hijack the domain for several days [8].

IP address spoofing can be performed for less malicious reasons. Scripts are freely available that allow the users IP address to be untraceable or fraudulent allowing for privacy when accessing sites. This enables the user's identity to be secret and allows user's to access sites untraceable [4]. This is done for protective reasons to some who don't want personal information commonly displayed in their IP to be broadcast to some of the sites they visit.

Identity Spoof

Another tactic an attacker can use to access a system is identity spoofing. An attacker can access a secure system using a fraudulent or stolen certificate that passes verification. This can occur by a couple of means. Passively, the attacker can look for identities that passed during the initial connection of logging into the system. In passive attacks, neither of the parties detects that the identity is being viewed. Active attacks can occur by finding an identity using the "man-in-the-middle" technique or by replacing a responder in the negotiation. The attacker proceeds through the authentication with the victim until the victim reveals his identity[5]. Microsoft issued a patch to correct a flaw enabling this attack in many of it's software products. This flaw enabled "an attacker who had a valid end-entity certificate to issue a subordinate certificate that, although bogus, would nevertheless pass validation."[3]. Stealing such an identity has effects ranging from mild annoyance to extreme inconvenience. A stolen identity could lead someone to impersonate you on a bulletin board smudging your reputation, all the way to impersonating you to get access to bank accounts and other personal information.

Web Spoofing

Web spoofing is a tactic used where web pages or the entire web is copied or modified for use in an attack. In both cases, the victim is tricked into believing they are operating in a safe environment with their movements going unmonitored. In the first scenario, a carefully copied web page is created, the victim accesses the spoofed page, and is led to believe he is communicating with the real server. In reality, the page is a carefully copied version of the real one working off the attacker's server. This kind of attack is possible since the server is able to relay its information to the browser window of the victim. The victim judges the security of the connection based on the certificates, warnings and icons displayed within the browser. All this information can be duplicated with false icons and meaningless pop-up warnings of the connection being secure in the browser window[7]. An email message informing the recipient that they were credited two hundred dollars was sent out to several Paypal users. The email message contained a URL link to a forged Paypal web page on the attackers server where they had to enter their confidential financial information [10].

The second scenario may seem implausible where the whole web is spoofed but it is very possible. In this kind of attack, the attacker becomes a middleman between the victim and the Web. The first step to initiating this attack is to lure the potential victim into the false web on the attackers server. Creating a false link to the attacker's server accessible through a real web page, a link or through a search engine can accomplish this. From there, the attacker does not create a false copy of every web page stored on their server but instead, the attacker's server downloads the requested page from the real Web when it needs to provide a copy to display within the victim's computer browser. When the victim submits information through his browser, it is accessible and can be modified by the attacker before it gets submitted through the real web page. The attacker is also able to modify any data that would be returned by the web page in response to the sent information [9]. This kind of spoofing is also known as the man in the middle attack and can be extremely damaging as the victim can be unaware they were attacked.

Email Spoofing

Email spoofing occurs when a user receives email that appears to have originated from one source when it actually was sent from another source. Email spoofing is often an attempt to trick the user into releasing confidential information such as passwords, to cause damage or for spamming purposes. Each reason represents a malicious attack meant to cause harm. In one situation, a spoofed email can be sent out to trick a user into revealing confidential information. The attacker is able to disguise the header of the email and in some cases forge the IP address to make it appear authentic. They can then send out an email that appears to be from a system administrator requesting password verification or requiring the user to change the password to a set code for their protection. The return email can be redirected to the attackers true inbox with the requested victim's sensitive information. This is known in the hacking circle as "social engineering". An email spoof attack can also be perpetrated for the sole intent of causing harm. A student was able to use the flowers.com company name in an email boasting "free cash grants" in order to cause chaos to the web site's network including hate mail and bounces crashing the system [10]. Some marketing companies, to send advertisements, use email spoofing where the 'from:' address matches the 'to:' address. This draws on the fact that most users will open an email apparently sent by themselves out of curiosity than if it was sent out with an anonymous address as the return [12].


There are several techniques to defend one's system against such spoofing tactics. Using more secure means rather than relying on address-based authentications leaves one less open to an attack. Requiring all traffic to be encrypted or authenticated is a good tactic [11]. Patches to flaws that leave doors open to attack in programs should be installed as soon as they become available. To prevent many web spoofing attacks, make sure the browser's location is always visible and point to the verified server with whom one is communicating [7]. On questionable emails, verifying the domain name matches with the IP address it is sent from will help filter out possible spoofed email addresses. Configuring email programs to show full email addresses and not just an aliases will reduce the chance of an effective attack. Always ask for authentication by some other means when there is a request for confidential information. Of course, the most common tactic would be to use common sense and verify security before releasing any confidential information.


Spoofing attacks can be very costly to the victim. They often occur with no knowledge any malevolent action has taken place and vital information can be taken and used before the victim is alerted. Spoofing comes in many varieties of attacks each with a potential of causing damage. Setting standards for web safety and being careful when releasing confidential information will reduce one's chances of becoming a victim of such spoofing attacks.


1. Velasco, Victor Introduction to IP Spoofing. Sans Institute. http://rr.sans.org/threats/intro_spoofing.php

2. Institute for Telecommunication Sciences, Internet protocol (IP) spoofing http://www.its.bldrdoc.gov/fs-1037/dir-019/_2834.htm

3. Boulton, Clint. Microsoft Airs Critical Identity Spoofing Flaws InternetNews, September 5, 2002 http://www.internetnews.com/dev-news/article.php/1457191

4. SuperScripts.com. FAKE ID http://www.superscripts.com/scripts/fakeid.html

5. Hoffman, Paul. Thoughts on Identity Attacks February 04, 2002 http://www.sandelman.ottawa.on.ca/ipsec/2002/02/msg00037.html

7. Felten, Edward W. et al. Web Spoofing: An Internet Con Game Princeton University, Feb 1997 http://www.cs.princeton.edu/sip/pub/spoofing.html

8. Web sites 'stolen' by cyberthugs MSNBC May 31, 2000 http://zdnet.com.com/2100-11-521171.html?legacy=zdnn

10. Lieb, Rebecca. Spoofing: Identity Crisis May 22, 2002 http://www.smallbusinesscomputing.com/emarketing/article.php/1142751

11. IP-spoofing Demystified. The Information Exchange June 1996 http://info-x.co.uk/default.asp?page=http://www.info-x.co.uk/info/ipspoofing .stm

12. Worley, Becky. Self-Sending Spam Tech Live Jan 30 2002 http://abcnews.go.com/sections/business/TechTV/techtv_Self-SendingSpam_02013 0.html