Home » Security Bloggers Network » Spoofing, Pokémon & Vulnerability

Spoofing, Pokémon & Vulnerability

by Felipe Zárate on May 11, 2021

Spoofing
is not the name of any Pokémon (although it might be), but that of a
type of scam. Over the past year, it accounted for more than $216M in
losses in the United States (according to the FBI
report).
Through an email, phone call, or text message, criminals pretend to be a
reliable source to deceive their victims (see Figure 1).

Figure 1. 2020 Crime Types by Victim
Loss

Spoofing has almost a ninth of the victims that
phishing/vishing/smishing/pharming have (see Figure 2).
In this regard, spoofing is very dangerous because of the amount of
money stolen in a single transaction and not due to the number of
victims fallen in this ruse. In January of this year, Washington State
reported
$777,045 in losses related to this scam. A few days ago in New York
City, the finance department of a clinical trial software firm
transferred to a criminal account
$4.8M
due to a spoofed email.

A criminal could imitate an
email with the
sender’s name from a forged IP address. Thanks to it, criminals can send
a link to re-addresses a page with a counterfeit Domain Name System
(DNS). Criminals use to
do
a two-verification trick and favor that email using phone calls or SMSs
addressed to the company’s financial teams. Financial institutions,
banks, commercial companies, and government entities are the main
targets of this type of deception.

Figure 2. 2020 Crime Types by Victim
Count

How does spoofing work?

ARP-MAC-IP combo

This combo is the perfect trick to divert resources, money, information,
and data. To do this, criminals supplant a set of internet protocols,
that is to say, both the transmitter and the receiver of data between
the connected computers. Think, for example, that you want to send a
gift to a friend who lives far away. For that, you decide that the best
way is to trust a Courier. In this case, both your address and your
friend’s address would be two Internet Protocol (IP) addresses. The
Address Resolution Protocol
(ARP)
would be the path that the Courier has to travel to send the package.
And the Media Access Control (MAC) address would be each one’s ID
number. In this example, the spoofing combo would be like this: a
cybercriminal fakes the ARP (the path) of a local area network that
routes traffic on the web in a different direction. Then, by falsifying
the MAC (your friend ID) address and falsifying the IPs (your friend’s
address), criminals could disguise a device as if it were enrolled in
the target network. By doing so, traditional restriction mechanisms are
not asked to access. From there, all the information could be redirected
to the criminal’s computer. Still, the boldest criminals do not keep all
that information but distort it and send it to the genuine recipient.

DNS-Website combo

Criminals who know the
DNS can
assign domains to previously forged IPs. When people access a web page
using standard URLs (Uniform Resource Locators), criminals can store
caches of those DNS for their convenient sides. Once that process is
performed, the victim enters, without notice, into a malicious replica
of the desired domain. Furthermore, that replica is usually updated
according to the original website changes, making it challenging to
identify the farce.

Email-Phone-SMS combo

This combo may be the one that requires minor work from the criminals’
side. First, they imitate a mail header by changing the mail sender to
look like a legitimate source from the victims’ perspective. Then they
send an email with the appearance of being official. In it, they require
victims to make a payment or transaction to an account. Next, a caller
identification is forged to impersonate the person or company from which
the mail was allegedly sent to rectify the email info. If that is not
enough, criminals can use a forgery SMS (short message service) to
double-check what was said by mail. At the same time, they send a false
notification to confirm that the alleged recipient of the transaction
received the money or that the supposedly due invoice was paid.

GPS

If a criminal could alter geolocation services, he could use them to
disrupt transportation apps used by individuals or companies to guide
their trips. The problem, of course, would be more linked to sabotage
than anything else. Criminals could, for example, cause a person to
reach an unexpected place by resetting the app GPS or send them on
routes that have traffic or road obstacles. Anyway, this type of
spoofing is much more dangerous when used as an extra ingredient in one
of the above combos.

How can we deal with such scams?

Of course, the best way not to fall into such scams is to be alert to
emails, calls, and SMS. However, prevention will always have better
results than corrective actions. In this case, prevention could include
shielding emails from suspicious accounts. For example, companies can
add
“Domain Key Identified Mail (DKIM), Domain-based Message Authentication,
Reporting and Conformance (DMARC), and Sender Policy Framework (SPF)
records to their business’s domain name record.” If your company makes
these small changes, it will not regret it, as it will send all
suspicious emails to the junk folder. Once a scam is discovered, it must
be reported. Those who live in the United States and have been scammed
while working in a company can file their complaints on the Federal
Communications Commission
official website. They can also go to the Crime Complaint
Center website or find out
more info FBI’s
page for this
purpose.

Now, I bet that you’ve heard about Pikachu, Ash Ketchum, or
Pokémon. However, I also bet that you don’t know what links one of
the most valued franchises in the
world
with spoofing. So, to understand it, we have to talk a bit about
Pokémon.

One of the latest hits of this franchise was their collaborative success
with the enterprise Niantic when they decided to launch Pokémon Go. The
goal of this game is to catch Pokémon in real places. So, players must
go outside their houses to catch them all. But recently, with COVID-19
confinements, people have resorted to other ways of walking around the
globe: altering their GPS
systems.
In other words, players trick the app into believing that they have
somewhere else to make Pokémon appear so that they can catch them.
Seemingly, many people are interested in such uses. So, they’ve googled
how the Pokémon Go app can be spoofed to catch Pokémon. Therefore, those
two words (spoofing and Pokémon) have been linked since 2020 in
search-trading websites (see Figure 3). That’s why we say that each
other’s fun is the danger of others. In seeking to innocently catch more
Pokémon, spoofing has become more popular. In turn, this makes more
people use this type of cyberattack technique, making companies more
vulnerable to being attacked.