The art of spoofing has been around since time immemorial, or so it seems. Spoofing can take a humorous form as a comedic device that mimics and exaggerates a celebrity’s unique quirks or features, for example. Spoofing comedians are sometimes called apers for their ability to mimic exceedingly well.
The ugly side of spoofing can be found on today’s digital stage, where cybercriminals masquerade as individuals or organizations we trust, such as banks, government agencies, and similar resources. The purpose of digital spoofing is to dupe unwitting individuals into taking actions that aid and abet the cybercriminals—and usually hurt the victims.
There are several ways criminal spoofing can occur, and two popular tricks are spoofed websites and spoofed emails.
Spoofed Website Dupes City Residents
At the heart of website spoofing is the creation of a replica of a real, trusted website. Cybercriminals will even mimic the colors, logos, and other characteristics of the original site. Their objective is to misdirect visitors to the spoofed website, where they will attempt to steal personal information for exploitation.
In late April, the City of Palm Bay discovered that its website was being spoofed. With a population of approximately 120,000, Palm Bay is located south of Orlando, in Brevard County, on Florida’s Atlantic Coast.
According to an announcement by the City, unidentified individuals were emailing materials instructing recipients to visit a spoofed website at www.plambayflorida.org. The City’s real website is at www.palmbayflorida.org, which is sometimes shortened to www.pbfl.org. The City’s announcement pointed out that the bogus website contained a misspelling (plam rather than palm).
The purpose of this spoofed website is to obtain visitors’ personal or financial information as they interact with what they believe to be their City government. The announcement further warned that citizens could also receive spoofed emails from the same cybercriminals and provided this example: firstname.lastname@example.org.
The following spoof-proof security guidance was shared in the announcement. It may also sound familiar to readers of our 24By7Security blog.
- Hovering over links prior to clicking them is a well-established best security practice. It ensures that the information shown in the link matches the destination as shown in the pop-up link displayed when hovering your cursor over the weblink or email address.
- If a link shows a different or unexpected web address or email when hovering, do not click on it.
- All users and vendors should exercise caution when interacting with websites and emails. Double-check URLs and make sure that emails originate from either palmbayflorida.org or pbfl.org. The City of Palm Bay will not contact you from any other email domain.
The announcement concluded with a recommendation that anyone targeted by the spoofed website or spoofed email file a report with the Internet Crime Complaint Center at https://www.ic3.gov/Home/FileComplaint. The FBI monitors complaint volumes and issues public alerts from time to time when a particular cybercrime is heating up. The alerts warn companies and individuals about the crime and actions they can take to avoid becoming victims.
Spoofed Emails from Police Departments a Brazen Crime
In a bold and brazen exploit, cybercriminals are using email addresses that they’ve hacked from real police departments in order to send bogus Emergency Data Requests (EDRs) to technology firms and social media companies. They generally send these spoofed emails to a distribution list hoping to dupe unsuspecting companies into sharing detailed information about the person(s) or organization(s) named in the EDR. The criminal goal is to hack into those accounts to install ransomware and turn an illegal profit. Or they may want to install malware or wreak other havoc with the aim of obtaining additional useful information they can exploit for personal gain.
Spoofed email addresses can be recognized, if you are discerning, by misspellings in the email address domain—much like the spoofed Palm Bay email address. Unfortunately, most of us read right over typos these days. However, you can hover your cursor over any email address to view the actual address it is coming from, especially if the email seems suspicious for some reason. It only takes a second or two.
For a company who receives an Emergency Data Request from a police department (legitimate or otherwise), cybercriminals know there is no simple way for the company to judge whether the EDR is real or a spoof. Therefore, most companies err on the side of compliance, as the EDR response rate remains high—often more than 90%, according to Krebs on Security. High compliance rates mean it’s more likely that bogus EDRs will be fulfilled, and therefore will have their desired criminal result.
(A solution is being developed by a private sector firm that may enable EDR recipients to verify the identity of the sender before responding to the request.)
Ransomware Exploits Unpatched Software
A recent ransomware attack was successful only because the targeted organization had not updated its software in three years. The software had a known SQL injection vulnerability that had been addressed by the vendor in 2019. However, the target organization hadn’t applied the security patch on its end-of-life appliance, effectively putting out a welcome mat for cybercriminals at the network’s door. That’s the bad news.
The good news is that the network had been very well segmented, so the attack was contained in one segment of the network. Within that segment, hackers were able to access usernames and passwords, in turn giving them entry to servers where they installed BlackCat ransomware to encrypt assets in the segment.
All this grief could have been avoided had the security patch been installed when it was first released in 2019. We recommend you check your own security patches and software updates to make certain all have been applied. Consider it an ounce of prevention.
The FBI is hip to the BlackCat, as per this summary in the FBI Alert on April 19, 2022:
“As of March 2022, BlackCat/ALPHV ransomware as a service (RaaS) had compromised at least 60 entities worldwide and is the first ransomware group to do so successfully using RUST, considered to be a more secure programming language that offers improved performance and reliable concurrent processing. BlackCat-affiliated threat actors typically request ransom payments of several million dollars in Bitcoin and Monero but have accepted ransom payments below the initial ransom demand amount. Many of the developers and money launderers for BlackCat/ALPHV are linked to Darkside/Blackmatter, indicating they have extensive networks and experience with ransomware operations.”
Ransomware continues to evolve and remain strong. So should our cybersecurity.
Spoofing is a growing cybercrime that relies on mimicry and illusion. Cybercriminals masquerade as individuals or organizations we trust in order to trick us into taking an action that ultimately enables them to exploit stolen information for personal profit. Spoofed websites and spoofed emails are popular crimes, and even though spoofing may sound like a “soft” crime that couldn’t possibly hurt anyone, that is far from the case. Spoofed websites and spoofed emails are personal and punitive. Don’t let the term fool you.
In addition, don’t be fooled by ransomware crimes that exploit a variety of network and software vulnerabilities. Cover your security bases by installing security patches promptly, enforcing password hygiene, conducting cybersecurity awareness training, and implementing the many other prescribed methods of safeguarding your organization’s networks, systems, and data.