Chapter 23 Β· Flashcards

Impersonation Flashcards

Click each card to reveal the answer. Master all 16 to be exam-ready.

0 / 16 flipped
Display name spoofing
Attacker sets a trusted person's name as the email display name; the actual From: address is attacker-controlled and uses a completely different domain. Most email clients show the display name prominently and de-emphasize the address. Defense: DMARC on the real domain does NOT stop this (the sending domain is different); train users to verify the actual email address, not just the display name; configure email clients to always show full From: addresses.
Cousin domain (lookalike domain)
Visually similar domain registered by attacker β€” adding hyphens, keywords, numbers, or Unicode homoglyphs (e.g., pharma-corp-billing.com, pharma--corp.com, c0mpany.com). Used for email impersonation and phishing sites. DMARC on the real domain provides zero protection β€” these are entirely different domains. Defense: register common variants proactively; monitor new domain registrations containing the company name; user training to inspect actual email domain.
IDN homograph attack
Uses Unicode characters visually identical to ASCII characters to create deceptive domains. Example: Cyrillic "Π°" (U+0430) looks identical to Latin "a" (U+0061) in most fonts β€” a domain using Cyrillic characters appears identical to the legitimate domain but resolves to a different IP. Browsers sometimes display punycode (xn--...) warnings; most email clients do not. Defense: domain monitoring for Unicode lookalikes; browser settings that display punycode for IDN domains.
ARP spoofing
Sends forged ARP replies to map the attacker's MAC address to a legitimate IP address (usually the default gateway) on the local network. All hosts that accept the forged ARP redirect their outbound traffic through the attacker's machine β€” man-in-the-middle. Operates at Layer 2 (Data Link). Only works within the same broadcast domain β€” cannot be launched remotely. Defense: Dynamic ARP Inspection (DAI) on managed switches validates ARP against the DHCP snooping binding table.
Dynamic ARP Inspection (DAI)
Switch feature that validates ARP packets against the DHCP snooping binding table before forwarding. ARP replies claiming IP-to-MAC mappings not found in the trusted database are dropped, preventing ARP cache poisoning. Deployed on untrusted access ports facing workstations; trusted ports (uplinks) are exempt. Requires DHCP snooping to be configured first to build the trusted IP-to-MAC binding database. Transparent to legitimate traffic β€” only forged ARP replies are dropped.
DNS spoofing (DNS cache poisoning)
Injects false DNS records into a resolver's cache so that domain lookups return attacker-controlled IP addresses. All users of the poisoned resolver are redirected even when typing correct URLs β€” no user action required beyond normal browsing. The Kaminsky attack (2008) demonstrated reliable poisoning via transaction ID and port prediction. Defense: DNSSEC (cryptographic signing of DNS records so resolvers can verify authenticity); source port randomization; DNS over HTTPS/TLS.
IP spoofing
Forges the source IP address in network packet headers to impersonate another host. Critical limitation: cannot support two-way communication β€” responses go to the spoofed IP, not the attacker. Used in DDoS amplification attacks (attacker spoofs victim's IP as source; DNS/NTP servers flood the victim with amplified responses), one-way flooding, and origin obfuscation. For two-way anonymous communication, attackers use VPNs or Tor β€” not IP spoofing. Defense: BCP38 ingress filtering at network edges.
Caller ID spoofing
Falsifies the originating phone number displayed to recipients. Trivially easy with VoIP β€” the SIP From: header can be set to any value. Used in vishing attacks to impersonate banks, government agencies, IT helpdesks, executives, or internal extensions. STIR/SHAKEN framework adds digital signatures to calls to reduce spoofing on domestic US calls between participating carriers β€” but calls through overseas SIP trunks can bypass it. Defense: callback verification using independently sourced numbers from official records.
STIR/SHAKEN
FCC mandate requiring US carriers to cryptographically sign and verify caller ID information. Attestation levels: A (Full β€” carrier verified subscriber authorized for that number), B (Partial β€” carrier knows customer, can't verify specific number), C (Gateway β€” call entered at known point, no subscriber verification). Reduces domestic robocall spoofing but does not prevent spoofing by overseas providers, unregistered SIP trunks, or non-participating carriers. Treat caller ID as an indicator, not proof of identity.
Deepfake
AI-synthesized audio/video that impersonates a real person. Voice cloning possible from as little as 3–5 seconds of audio using free/cheap tools; public figures provide abundant training material. First documented case: 2019 UK energy CEO voice deepfake (€220K wire). 2024 Hong Kong case: $25M via deepfake video conference call with fake CFO and colleagues. Defense: out-of-band verification through separate channel; pre-agreed verbal codewords for sensitive communications; written authorization requirement independent of voice/video for large transactions.
Credential stuffing
Automated replay of breached username/password pairs against other services, exploiting password reuse. Uses the exact known credential pair from a prior breach β€” not guessing. Enabled by vast breach database availability. Scalable, requires no skill. Defense: unique passwords per service enforced via password manager (eliminates reuse risk entirely); MFA on all accounts; breach monitoring (HaveIBeenPwned) to detect exposure; login rate limiting and anomaly detection to identify stuffing attempts in progress.
Password spraying
Tries one common password against many accounts, then moves to the next password β€” deliberately stays under per-account lockout thresholds to avoid triggering lockout. "Slow and broad" (contrast with brute force: "fast and narrow"). Effective when users have weak predictable passwords. Defense: strong password requirements that prevent seasonal/pattern passwords; MFA; anomaly detection that flags distributed low-frequency login failures across many different accounts simultaneously (unlike brute force, which concentrates on one account).
SIM swapping
Social engineering a mobile carrier into porting the victim's number to an attacker-controlled SIM. Once swapped: attacker receives all SMS messages including MFA codes and password reset links; can cascade password resets across every account tied to that phone number. Victim's phone loses service. Defeats SMS-based MFA entirely. Defense: authenticator app TOTP (generated locally on device β€” not tied to phone number, unaffected by SIM swap); carrier port freeze/SIM lock; FIDO2 hardware tokens for highest-risk accounts.
Account takeover (ATO)
Attacker gains control of a legitimate user account β€” the most convincing impersonation because it IS the real account. All SPF/DKIM/DMARC checks pass (the email is genuinely from the real account). Sender name and address are correct. Conversation history is accessible. No technical indicator distinguishes ATO-sourced email from legitimate email. Methods: credential stuffing, phishing, SIM swapping, session hijacking. Only process controls (verify unusual requests independently) and behavioral analytics detect ATO after the fact. Prevention: MFA + unique passwords + breach monitoring.
Badge cloning
Copying RFID data from a proximity card to a blank card using a concealed reader. Standard 125 kHz HID ProxCards broadcast a static unencrypted ID number β€” readable silently from ~30cm with sub-$50 hardware. Clone opens same doors as original; original remains functional; owner never knows. Defense: upgrade to MIFARE DESFire EV3 or HID SEOS with AES challenge-response authentication (passive interception yields unusable ciphertext); RFID-shielded badge holders when badge not in active use; anti-passback rules (same badge can't enter twice without exiting); access log anomaly monitoring.
BEC (Business Email Compromise)
Impersonating executives or vendors to redirect payments, wire transfers, or W-2 data. Uses display name spoofing, cousin domains, or compromised accounts. The $340K Meridian Pharma case combined cousin domain + caller ID spoofing. FBI IC3 reported $2.9B in BEC losses in 2023 β€” the single largest category of cybercrime losses. Defense: DMARC enforcement; out-of-band callback verification for any wire or payment change; dual authorization for transactions above threshold; vendor account change verification requiring callback to a number from original contracts, not from the change request email.