Domain spoofing involves faking a website or email name so unsecured or malicious websites and emails appear safe.
What is domain spoofing?
Domain spoofing is when cyber criminals fake a website name or email domain to fool users. Domain spoofing aims to trick a user into interacting with a malicious email or a phishing website as if it were legitimate. Domain spoofing is like a con artist who shows someone fake credentials to gain their trust before taking advantage of them.
Domain spoofing is often used in phishing attacks. A phishing attack aims to steal personal information, such as account login credentials or credit card details, to trick the victim into sending money to the attacker or trick a user into downloading malware. Domain spoofing can also be used to carry out ad fraud by tricking advertisers into paying for ads on websites other than those they think they’re paying for.
Domain spoofing is distinct from DNS spoofing or cache poisoning and BGP hijacking. These are other ways to direct a user to the wrong website that are more complex than simply faking the name.
What is a domain?
A domain, or more correctly, domain name, is the full name of a website. “cloudflare.com” is one example of a domain name. The domain appears within employees’ email addresses after the “@” symbol for companies and organizations. A personal email account may use “gmail.com” or “yahoo.com” as its domain, but a company email usually uses its website. (To learn more about domains, see What is DNS?)
What are the main types of domain spoofing?
Website/URL spoofing
Website spoofing is when an attacker builds a website with a URL that closely resembles, or even copies, the URL of a legitimate website that a user knows and trusts. In addition to spoofing the URL, the attacker may copy the content and style of a website, complete with images and text.
To imitate a URL, attackers can use characters from other languages or Unicode characters that look almost identical to regular ASCII characters. (This is called a homograph attack.) Less convincing spoofed URLs may add or substitute regularly used characters to the URL and hope users don’t notice.
These fake websites are typically used for criminal activities like phishing. A fake login page with a seemingly legitimate URL can trick users into submitting their login credentials. Spoofed websites can also be used for hoaxes or pranks.
Email spoofing
Email spoofing is when an attacker uses a fake email address with the domain of a legitimate website. This is possible because domain verification is not built into the Simple Mail Transfer Protocol (SMTP), the protocol that email is built on. Email security protocols developed recently, such as DMARC and DKIM, provide greater verification.
Attackers will often use email spoofing in phishing attacks. An attacker will spoof a domain name to convince users that the phishing email is legitimate. An email that seems to come from a company representative is more convincing at first glance than an email from some random domain.
The goal of the phishing attack could be to get users to visit a certain website, download malware, open a malicious email attachment, enter account credentials, or transfer money to an account the attacker controls.
Email spoofing is often paired with website spoofing, as the email may lead to a spoofed website where users are supposed to enter their username and password for the targeted account.
Domain spoofing in advertising
Ad fraud perpetrators fake the names of websites they own to obscure the real source of their traffic and offer their spoofed domains for bidding by advertisers. Then, the display ads end up on an undesirable website instead of the one advertisers wanted.
How can users protect themselves from domain spoofing?
Be mindful of the source. Is the link from an email? Was the email expected? Unexpected requests and warnings are often from scammers.
Take a close look at the URL. Are there any extra characters that don’t belong? Try copying and pasting the URL into a new tab: does it still look the same? (This can detect homograph attacks.)
Make sure there’s an SSL certificate. An SSL certificate is a text file that identifies a website and aids in encrypting traffic to and from the website. An external certificate authority usually issues SSL certificates. Before issuing one, the certificate authority will verify that the party requesting the certificate owns that domain name (although sometimes such verification is fairly minimal). Almost all legitimate websites these days will have an SSL certificate.
Check the SSL certificate if there is one. Is the domain listed on the SSL certificate the name one would expect? (To see the SSL certificate in Chrome, click on the padlock in the URL bar, then click “Certificate.”) A spoofed website may have a real SSL certificate – but for the spoofed domain name, not the actual domain name.
Bookmark important websites. Keep an in-browser bookmark of each legitimate website. Clicking on the bookmark instead of following a link or typing the URL ensures the correct URL loads each time. For instance, instead of typing “mybank.com” or performing a Google search for the bank’s website, create a bookmark for the website.
How can companies stop their domains from being spoofed?
SSL certificates can help make website spoofing more difficult for attackers, as they will then have to register for a spoofed SSL certificate in addition to registering the spoofed domain. (Cloudflare offers free SSL certificates.)
Unfortunately, there isn’t a way to stop domain spoofing in email. Companies can add more verification to the emails they send via DMARC, DKIM, and other protocols, but external parties can still send fake emails using their domain without this verification.
