Domain Spoofing

What is Domain Spoofing?

Domain spoofing is a cyberattack technique where attackers impersonate a legitimate domain to deceive users, bypass security systems, or gain unauthorized access. This can involve forging email headers, registering lookalike domains, or exploiting DNS vulnerabilities to redirect traffic.

Types of Domain Spoofing

Email Spoofing

Forging the "From" address in emails to appear from a trusted domain:

Legitimate:
  From: support@paypal.com
  Actual sender: PayPal's mail servers

Spoofed:
  From: support@paypal.com
  Actual sender: attacker's server
  Without SPF/DKIM/DMARC, appears legitimate

Display Name Spoofing

Manipulating the sender's display name while using a different email:

Display: CEO John Smith <john.smith@company.com>
Actual email: attackercontrol@malicious.com
Many email clients show only display name prominently

Lookalike Domain Spoofing

Registering domains that resemble legitimate ones:

Legitimate: paypal.com
Lookalikes:
  paypa1.com (1 instead of l)
  paypal-secure.com (added word)
  paypai.com (typo)
  paypаl.com (Cyrillic 'а' instead of Latin 'a')

DNS Spoofing (Cache Poisoning)

Corrupting DNS caches to redirect traffic:

User types: bank.com
DNS poisoned: Returns attacker's IP instead of real bank
User arrives at: Fake bank.com (phishing site)
User thinks: They're on real site (URL shows bank.com)

Caller ID Spoofing (VoIP)

Displaying fake phone numbers (less relevant to domains but related concept).

How Email Spoofing Works

The SMTP Protocol Gap

SMTP (email protocol) has no built-in sender verification:

SMTP Conversation:
Client: HELO attacker.com
Server: 250 Hello
Client: MAIL FROM: <ceo@victimcompany.com>
Server: 250 OK (accepts without verification)
Client: RCPT TO: <employee@victimcompany.com>
Server: 250 OK
Client: DATA
From: ceo@victimcompany.com
Subject: Urgent wire transfer needed
→ Server delivers it

Nothing in SMTP verifies the sender actually controls victimcompany.com.

Header Manipulation

Attackers craft headers that bypass basic filters:

From: "CEO John Smith" <ceo@legitimate.com>
Reply-To: attacker@malicious.com

User sees trusted sender
Replies go to attacker

Real-World Spoofing Attack Scenarios

Business Email Compromise (BEC)

1. Attacker researches company structure
2. Spoofs CEO's email to CFO
3. "Urgent wire transfer needed for acquisition"
4. CFO transfers funds thinking it's legitimate
5. Company loses millions

Phishing Campaigns

1. Spoof bank or tech company domain
2. Send emails about "suspicious activity"
3. Link goes to lookalike domain
4. User enters credentials on fake site
5. Attacker steals credentials

Invoice Fraud

1. Attacker spoofs supplier's domain
2. Sends updated invoice with attacker's bank details
3. Victim pays attacker instead of real supplier
4. Legitimate supplier never receives payment

Malware Distribution

1. Spoof trusted software company
2. Email with "critical security update"
3. Attachment contains malware
4. User trusts "legitimate" sender and opens it

Detecting Domain Spoofing

Email Header Analysis

Examine full headers for inconsistencies:

From: support@paypal.com
Return-Path: <random@suspicious.com>  ← Red flag
Received: from unknown.net [1.2.3.4]  ← Not PayPal's servers

Real email would have:
Received: from mx.paypal.com [verified PayPal IP]
Return-Path: <support@paypal.com>

SPF/DKIM/DMARC Check

Authentication-Results: recipient.com;
  spf=fail smtp.mailfrom=paypal.com  ← Spoofed
  dkim=none                           ← Not signed
  dmarc=fail                          ← Failed policy

Legitimate PayPal emails would pass all checks.

Visual Inspection

Look for subtle differences:

Real: paypal.com
Fake: paypal-secure.com (extra word)
Fake: paypαl.com (Cyrillic character)
Fake: paypal.co (missing 'm')

Behavioral Anomalies

• Urgent language ("Act now!", "Wire transfer immediately")
• Unusual requests (CEO asking for gift cards)
• Grammar/spelling errors
• Requests to change payment details
• Links to unfamiliar domains

Preventing Domain Spoofing

Implement Email Authentication (Critical)

example.com.    IN    TXT    "v=spf1 include:_spf.google.com -all"

Authorizes which servers can send for your domain

Cryptographically signs outgoing emails
Receivers verify signature using DNS public key
Tampered emails fail verification

_dmarc.example.com.    IN    TXT    "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Tells receivers to reject emails that fail SPF/DKIM
Provides reports on spoofing attempts

p=none       Monitor only (start here)
p=quarantine Send failures to spam
p=reject     Block failures completely (goal)

Register Defensive Domains

Proactively register lookalike domains:

Primary: company.com

Register:
Common typos: conpany.com, compamy.com
Different TLDs: company.net, company.org, company.co
Hyphenated: com-pany.com, company-inc.com
Plurals: companies.com

Then either:

• Redirect to primary domain
• Park with informational page
• Use for legitimate purposes

Monitor Brand Mentions

Use services to detect unauthorized domain registrations:

• Google Alerts for domain registrations containing brand name
• Certificate Transparency logs (monitor for SSL certs issued)
• WHOIS monitoring for new registrations

• DomainTools
• Sift by Cloudflare
• BrandShield
• Bolster

Employee Training

Regular security awareness training:

• How to identify spoofed emails
• Verify suspicious requests through alternative channels
• Never click links in unexpected emails
• Check sender domain carefully
• Report suspicious emails to IT

Technical Controls

p=reject (block spoofed email entirely)

• Scan for lookalike domains
• Flag external emails that look internal
• Block known-bad sender IPs

[EXTERNAL EMAIL] This email originated outside the organization

Check and sanitize URLs in emails before delivery.

Only allow approved sending methods (no one-off SMTP).

Advanced Spoofing Techniques

Homoglyph Attacks

Using visually similar characters from different alphabets:

Latin 'a' vs Cyrillic 'а' (U+0430)
Latin 'o' vs Cyrillic 'о' (U+043E)

googlе.com (Latin 'e' replaced with Cyrillic 'е')
Looks identical to: google.com

googlе.com → xn--googl-6nd.com (encoded)
Browsers show: ⚠️ xn--googl-6nd.com

Subdomain Spoofing

Creating subdomains that look like different domains:

legitimate-bank.attacker.com
Appears as: legitimate-bank (subdomain of attacker.com)
Users see: "legitimate-bank" and assume it's safe

Man-in-the-Middle with DNS Hijacking

1. Attacker compromises DNS server or router
2. Changes bank.com resolution to attacker's IP
3. Serves fake bank site
4. Uses valid SSL cert (from Let's Encrypt, free)
5. User sees https://bank.com with padlock
6. User thinks it's safe, enters credentials

Legal and Regulatory Aspects

Anti-Cybersquatting Consumer Protection Act (ACPA)

U.S. law prohibiting registration of domains confusingly similar to trademarks.

Uniform Domain-Name Dispute-Resolution Policy (UDRP)

ICANN policy for resolving trademark disputes:

• Trademark owners can challenge lookalike registrations
• Arbitration process (faster/cheaper than court)

Criminal Penalties

Domain spoofing for fraud is prosecuted under:

• Wire Fraud Act (U.S.)
• Computer Fraud and Abuse Act (U.S.)
• Similar laws in other jurisdictions

Penalties include fines and imprisonment.

Responding to Domain Spoofing

If Your Domain is Being Spoofed

1. Implement DMARC with p=reject

_dmarc.example.com.    TXT    "v=DMARC1; p=reject; rua=mailto:abuse@example.com"

2. Alert customers/partners

- Notify about spoofing campaign

- Provide indicators (what to look for)

- Give reporting channel

3. Report to authorities

- FBI IC3 (U.S.)

- Local cybercrime units

- Anti-Phishing Working Group (apwg.org)

4. Takedown requests

- Report phishing sites to hosting providers

- Report to domain registrars

- Use Google Safe Browsing report

5. Monitor DMARC reports

- Identify spoofing sources

- Track attack volume and patterns

If You Discover a Lookalike Domain

1. Document evidence

- Screenshots

- WHOIS data

- Email headers

2. UDRP complaint (if you own trademark)

3. Registrar abuse report

4. Legal action (if significant harm)

Testing Your Defenses

Test Email Spoofing Protection

# Send test spoofed email to yourself
swaks --to employee@yourcompany.com \
      --from ceo@yourcompany.com \
      --server test-smtp-server.com \
      --header "Subject: Test Spoofed Email"

# Check if it's delivered or blocked
# Check authentication results in headers

Check DMARC Configuration

dig _dmarc.example.com TXT

# Should return policy (p=reject ideally)
_dmarc.example.com. 300 IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Verify SPF and DKIM

# SPF
dig example.com TXT | grep spf

# DKIM (check common selectors)
dig google._domainkey.example.com TXT
dig default._domainkey.example.com TXT

Use Online Tools

• MXToolbox Domain Health Check
• dmarcian DMARC Inspector
• Google Admin Toolbox Messageheader
• PhishTank (check if your domain is reported)

Domain spoofing is a serious threat but can be effectively mitigated through proper email authentication, monitoring, and user education.