Domain Spoofing

What is Domain Spoofing?

Domain spoofing is a tactic used by cyber threat actors to fool their victims into responding to a fraudulent email message or a fake website as if it were legitimate. Domain spoofing is used in email phishing and spear phishing campaigns, business email compromise and account takeover attacks, and digital advertising fraud.

Domain spoofing attacks often fall under two broad categories: email domain spoofing, and website domain spoofing. Each type of domain spoofing may be used to fool victims as part of a digital phishing attack, or they may be combined to execute a cyberattack against a more sophisticated target.

Email domain spoofing involves techniques that mask the sender of a malicious email, making it appear to the recipient as if the email came from a trusted source. Web domain spoofing involves techniques that disguise the URL of a website, making it seem like that of a trusted brand instead of an information capture page for cybercriminals.

How Does Domain Spoofing Work?

While the common goal behind domain spoofing is to fool the victim about the legitimacy of a communication or digital asset, domain spoofing attacks may be implemented in several different ways. Here are just a few ways that threat actors can make domain spoofing work as part of a successful cyberattack:

Email Domain Spoofing

Email domain spoofing is when threat actors send emails with a false sender address. These emails aim to trick the victim into believing that the email came from a trusted source. Spoofed emails may include familiar branding elements, such as the purported sender’s brand logo, colors, trademarks, and other identifiers that help convince the target that the email is legitimate.

Spoofing the Domain Name

Spoofed websites are created and designed by digital threat actors to impersonate trusted brands and steal sensitive data and access credentials from their customers. 

A spoofed website often incorporates the brand’s logos, trademarks, colors, and other visual assets while replicating the user interface and features of the brand’s authentic website. Once the spoofed website has been created, a skilled cybercriminal will have several options for successfully spoofing the domain name:

  • Domain Masking - Domain masking allows a cyberattacker to show a fake URL in the web browser’s address bar when a potential victim visits their fake website.
  • Registering a Look-alike Domain - Instead of masking the domain, a cyberattacker may attempt to register a domain name that appears similar to that of the brand they are impersonating.
  • Domain Spoofing with a URL Shortener - Threat actors often use URL shortening services to hide the domain name in a malicious link before spreading the link through phishing email campaigns and social media.

Email spoofing and domain spoofing techniques may be combined to execute an even more sophisticated and convincing cyberattack.

What is an Example of Domain Spoofing?

There have been many high-profile examples of successful domain spoofing attacks targeting both private individuals and a variety of organizations.

In 2017, the auditors at the Financial Times discovered that digital fraudsters had used a spoof domain to impersonate the digital publication and offer display and video advertising inventories across 15+ digital advertising exchanges. It was estimated that the fraudsters earned $1.3 million per month.

Another high-profile attack took place in 2019 and targeted the Volunteers for Venezuela website with a mix of domain spoofing and DNS manipulation. Threat actors registered a look-alike domain, created a fake website, and redirected traffic from the target’s legitimate web page to steal personally identifying information from volunteers who signed up to help with humanitarian aid in Venezuela.

Domain spoofing attacks are increasingly being used to target business organizations, especially in the financial industry. Threat actors may create spoofed websites to steal online banking credentials from customers of a financial institution, or attempt to scam the institution’s employees by impersonating a CEO or tech support representative and linking to a spoofed domain.

How to Prevent Domain Spoofing Attacks

Cybersecurity Awareness Training

Cybersecurity awareness training can be an effective defense against domain spoofing attacks. Organizations should train their executive leadership and digital workforce to be cautious when opening suspicious or unexpected emails, avoid clicking on unfamiliar links, and recognize the signs of domain spoofing.

Phishing Simulation Exercises

Phishing simulation exercises are implemented by enterprise SecOps teams to evaluate the performance of digital workers when it comes to recognizing and avoiding domain spoofing attacks. The results of these exercises can be used to target the most susceptible employees with additional cybersecurity education and awareness training.

Cybersecurity Software and Technologies

Enterprise SecOps teams can implement cybersecurity software and technologies to detect, prevent, and disrupt domain spoofing attacks against their organizations.

How Does ZeroFOX Protect Against Domain Spoofing?

Domain spoofing almost always involves the fraudulent use of digital brand assets, including logos, colors, trademarks, typography, and other identifiers. 

The ZeroFOX platform leverages advanced AI to monitor the public attack surface for fraudulent use of brand assets, provides you with actionable alerts and threat intelligence, and delivers automated disruption services to dismantle and remove fake websites before they can be used to target your employees and customers.

Watch our free, on-demand Domain Monitoring Tools Demo Webinar to learn more about domain-based threats and how ZeroFOX helps protect your organization.