Chapter 23 Β· Concepts

Impersonation β€” Key Concepts

Comparison tables, attack taxonomies, process flows, and reference cards for exam preparation.

Impersonation Attack Taxonomy

Every impersonation attack fakes identity at a specific layer. Understanding the layer determines which defense applies.

Attack TypeLayerWhat's FakedDefense
Display Name SpoofingEmail (Application)Sender name visible in inboxUser training to verify full From: address; email client config to show full addresses
Cousin DomainDNS / EmailDomain name (visually similar)Register common variants; DMARC on real domain; user training
Exact Domain SpoofingEmail (Application)Legitimate domain, unauthorized serverDMARC policy=reject with SPF + DKIM
ARP SpoofingData Link (Layer 2)MAC→IP mapping on local LANDynamic ARP Inspection (DAI) on managed switches
IP SpoofingNetwork (Layer 3)Source IP address in packetsBCP38 ingress filtering at network edge
DNS SpoofingApplication (DNS)DNS responses (IP for domain)DNSSEC for cryptographic DNS record integrity
Caller ID SpoofingVoice / PSTNPhone number displayed to recipientSTIR/SHAKEN; callback verification policy
Deepfake (Audio/Video)Physical / HumanVoice and/or face of a real personOut-of-band verification; codewords; dual-channel authorization
Badge CloningPhysicalRFID credential from proximity cardEncrypted challenge-response cards (MIFARE DESFire, SEOS); RFID-shielded holders

The Attack Chain: BEC Wire Transfer

How Yusuf's $340K pharma case unfolded β€” a complete Business Email Compromise kill chain.

1
Reconnaissance
Attacker researches target via LinkedIn, company website, press releases, and earnings calls. Identifies CFO name, AP staff names, active vendor relationships, and the procurement process workflow. Identifies employee email formats and internal naming conventions.
↓
2
Domain Registration (Cousin Domains)
Attacker registers pharma-corp-billing.com, pharma-corp-ap.com, and IDN homograph variants. Configures mail server on cousin domain. Creates convincing email address: sarah.chen@pharma-corp-billing.com. Sets display name to "Sarah Chen - CFO Office."
↓
3
Credential Stuffing for Initial Access
Attacker tests millions of username/password pairs from breach databases against the company's Okta portal. Finds that Marcus (vendor liaison) reused a password from a prior breach. Automated tool flags successful credential match.
↓
4
SIM Swap to Bypass SMS MFA
Attacker calls Marcus's mobile carrier, impersonates Marcus using researched personal details (name, address, last 4 SSN digits from breach data). Convinces carrier representative to port Marcus's number to attacker's SIM. Attacker now receives Marcus's MFA codes.
↓
5
Account Access and Internal Reconnaissance
Attacker logs in as Marcus using the captured credentials + SMS MFA code now delivered to their SIM. Reads 3 weeks of internal emails, maps AP workflows, learns procurement context, identifies the $340K equipment discussion. Understands who has authority and what communication style looks legitimate.
↓
6
Display Name Spoof Email to AP
Sends wire transfer request from sarah.chen@pharma-corp-billing.com with display name "Sarah Chen - CFO Office." Email references the real equipment procurement discussion (from Marcus's inbox). Requests $340K to a "new vendor" bank account. Professionally formatted, contextually accurate.
↓
7
Caller ID Spoof Follow-Up Call
AP clerk is nervous about the amount and calls to verify. Attacker is ready β€” uses VoIP caller ID spoofing to display the CFO's real internal extension (4-2287). Answers as "CFO's assistant," verbally confirms the wire, provides additional vendor details. Clerk's verification attempt is defeated.
↓
8
Wire Transfer Executed β€” $340,000 Gone
AP clerk processes the wire. Funds transferred to attacker-controlled account. Fraud detected 4 days later by the bank's transaction monitoring team. $180K clawback possible through rapid action; $160K irrecoverable after onward transfer through multiple accounts.

STIR/SHAKEN Attestation Levels

A β€” Full Attestation
The originating carrier has verified that the calling party is a customer of the carrier AND that the customer is authorized to use the specific calling number being displayed. Highest level of confidence. The carrier can definitively say: this call is from our customer, and that customer owns or is permitted to use this phone number. Still does not guarantee the subscriber isn't an attacker β€” it only verifies subscriber authorization of the number.
B β€” Partial Attestation
The originating carrier has verified that the call came from a known customer, but cannot verify that the customer is authorized to use the specific calling number displayed. The carrier knows where the call originated (their customer) but cannot confirm the displayed number belongs to that customer. Common for scenarios where a business customer presents caller ID numbers from a pool or a number the carrier can't independently verify.
C β€” Gateway Attestation
The originating carrier can only attest that the call entered the carrier's network at a specific interconnect gateway. No verification of the caller's identity or their authorization to use the displayed number. The lowest level of attestation β€” essentially "this call came in here, we have no idea who sent it or whether the number is legitimate." Calls from overseas SIP providers and unregistered trunks often receive C attestation or no attestation at all.
STIR/SHAKEN is an improvement but not a complete solution. Calls originating overseas, through unregistered SIP trunks, or from carriers that have not fully deployed STIR/SHAKEN can still carry spoofed caller ID. Even A-level attestation means only that the carrier verified the subscriber's authorization β€” not that the subscriber isn't an attacker. Defense policy cannot rely on caller ID as proof of identity regardless of attestation level.

Credential Attack Comparison

TechniqueSpeedTarget PatternLockout RiskWhat to Monitor
Credential Stuffing Fast (fully automated) Many users Γ— known specific passwords (breach pairs) High per account (many attempts per account if using known password lists) Repeated failed logins with known-breached passwords; logins from IP reputation bad addresses; login volume spikes
Password Spraying Slow (one password at a time, deliberately paced) Many users Γ— very few common passwords (often 1–2) Low (stays under per-account lockout threshold) Distributed low-frequency login failures across many different accounts simultaneously; common password attempts across wide user base
Brute Force Varies (fast for short/simple passwords) One user Γ— many passwords (exhaustive) Very high (many attempts against one account) Many failed login attempts against a single account in a short time window; account lockout events
SIM Swap + MFA Bypass Varies (carrier call can take minutes to hours) One targeted user, high-value account N/A (legitimate credentials + legitimate MFA code) Phone number port-out from carrier records; sudden SIM change; victim phone goes offline; unexpected MFA success from new device/location