Photo by Lia Panidara on Unsplash

Spoofing, Pokémon & Vulnerability

Why may the fun of some be the danger of others?

By Felipe Zárate | May 12, 2021 | Category: Attacks

Spoofing is not the name of any Pokémon (although it might be), but that of a type of scam. Over the past year, it accounted for more than $216M in losses in the United States (according to the FBI report). Through an email, phone call, or text message, criminals pretend to be a reliable source to deceive their victims (see Figure 1).

Spoofing has almost a ninth of the victims that phishing/vishing/smishing/pharming have (see Figure 2). In this regard, spoofing is very dangerous because of the amount of money stolen in a single transaction and not due to the number of victims fallen in this ruse. In January of this year, Washington State reported $777,045 in losses related to this scam. A few days ago in New York City, the finance department of a clinical trial software firm transferred to a criminal account $4.8M due to a spoofed email.

A criminal could imitate an email with the sender’s name from a forged IP address. Thanks to it, criminals can send a link to re-addresses a page with a counterfeit Domain Name System (DNS). Criminals use to do a two-verification trick and favor that email using phone calls or SMSs addressed to the company’s financial teams. Financial institutions, banks, commercial companies, and government entities are the main targets of this type of deception.

How does spoofing work?

ARP-MAC-IP combo

This combo is the perfect trick to divert resources, money, information, and data. To do this, criminals supplant a set of internet protocols, that is to say, both the transmitter and the receiver of data between the connected computers. Think, for example, that you want to send a gift to a friend who lives far away. For that, you decide that the best way is to trust a Courier. In this case, both your address and your friend’s address would be two Internet Protocol (IP) addresses. The Address Resolution Protocol (ARP) would be the path that the Courier has to travel to send the package. And the Media Access Control (MAC) address would be each one’s ID number. In this example, the spoofing combo would be like this: a cybercriminal fakes the ARP (the path) of a local area network that routes traffic on the web in a different direction. Then, by falsifying the MAC (your friend ID) address and falsifying the IPs (your friend’s address), criminals could disguise a device as if it were enrolled in the target network. By doing so, traditional restriction mechanisms are not asked to access. From there, all the information could be redirected to the criminal’s computer. Still, the boldest criminals do not keep all that information but distort it and send it to the genuine recipient.

DNS-Website combo

Criminals who know the DNS can assign domains to previously forged IPs. When people access a web page using standard URLs (Uniform Resource Locators), criminals can store caches of those DNS for their convenient sides. Once that process is performed, the victim enters, without notice, into a malicious replica of the desired domain. Furthermore, that replica is usually updated according to the original website changes, making it challenging to identify the farce.

Email-Phone-SMS combo

This combo may be the one that requires minor work from the criminals' side. First, they imitate a mail header by changing the mail sender to look like a legitimate source from the victims' perspective. Then they send an email with the appearance of being official. In it, they require victims to make a payment or transaction to an account. Next, a caller identification is forged to impersonate the person or company from which the mail was allegedly sent to rectify the email info. If that is not enough, criminals can use a forgery SMS (short message service) to double-check what was said by mail. At the same time, they send a false notification to confirm that the alleged recipient of the transaction received the money or that the supposedly due invoice was paid.

GPS

If a criminal could alter geolocation services, he could use them to disrupt transportation apps used by individuals or companies to guide their trips. The problem, of course, would be more linked to sabotage than anything else. Criminals could, for example, cause a person to reach an unexpected place by resetting the app GPS or send them on routes that have traffic or road obstacles. Anyway, this type of spoofing is much more dangerous when used as an extra ingredient in one of the above combos.

How can we deal with such scams?

Of course, the best way not to fall into such scams is to be alert to emails, calls, and SMS. However, prevention will always have better results than corrective actions. In this case, prevention could include shielding emails from suspicious accounts. For example, companies can add "Domain Key Identified Mail (DKIM), Domain-based Message Authentication, Reporting and Conformance (DMARC), and Sender Policy Framework (SPF) records to their business’s domain name record." If your company makes these small changes, it will not regret it, as it will send all suspicious emails to the junk folder. Once a scam is discovered, it must be reported. Those who live in the United States and have been scammed while working in a company can file their complaints on the Federal Communications Commission official website. They can also go to the Crime Complaint Center website or find out more info FBI’s page for this purpose.

Now, I bet that you’ve heard about Pikachu, Ash Ketchum, or Pokémon. However, I also bet that you don’t know what links one of the most valued franchises in the world with spoofing. So, to understand it, we have to talk a bit about Pokémon.

One of the latest hits of this franchise was their collaborative success with the enterprise Niantic when they decided to launch Pokémon Go. The goal of this game is to catch Pokémon in real places. So, players must go outside their houses to catch them all. But recently, with COVID-19 confinements, people have resorted to other ways of walking around the globe: altering their GPS systems. In other words, players trick the app into believing that they have somewhere else to make Pokémon appear so that they can catch them. Seemingly, many people are interested in such uses. So, they’ve googled how the Pokémon Go app can be spoofed to catch Pokémon. Therefore, those two words (spoofing and Pokémon) have been linked since 2020 in search-trading websites (see Figure 3). That’s why we say that each other’s fun is the danger of others. In seeking to innocently catch more Pokémon, spoofing has become more popular. In turn, this makes more people use this type of cyberattack technique, making companies more vulnerable to being attacked.

Figure 3
Figure 3. Screenshot taken in May 12, 2021 on Google Trends

At Fluid Attacks we are specialized in cybersecurity through Pentesting and ethical hacking. For more information, don’t hesitate to contact us!