What is domain spoofing?
Domain spoofing is when cyber criminals fake a website name or email domain to try to fool users. The goal of domain spoofing is to trick a user into interacting with a malicious email or a phishing website as if it were legitimate. Domain spoofing is like a con artist who shows someone fake credentials to gain their trust before taking advantage of them.
Domain spoofing is often used in phishing attacks. The goal of a phishing attack is to steal personal information, such as account login credentials or credit card details, to trick the victim into sending money to the attacker, or to trick a user into downloading malware. Domain spoofing can also be used to carry out ad fraud by tricking advertisers into paying for ads shown on websites other than the websites they think they're paying for.
Domain spoofing is distinct from DNS spoofing or cache poisoning, and also from BGP hijacking. These are other ways to direct a user to the wrong website that are more complex than simply faking the name.
What is a domain?
A domain, or more correctly domain name, is the full name of a website. "cloudflare.com" is one example of a domain name. For companies and organizations, the domain appears within email addresses of employees after the "@" symbol. A personal email account may use "gmail.com" or "yahoo.com" as its domain, but a company email will usually use the company's website. (To learn more about domains, see What is DNS?)
What are the main types of domain spoofing?
Website spoofing is when an attacker builds a website with a URL that closely resembles, or even copies, the URL of a legitimate website that a user knows and trusts. In addition to spoofing the URL, the attacker may copy the content and style of a website, complete with images and text.
To imitate a URL, attackers can use characters from other languages or Unicode characters that look almost exactly the same as regular ASCII characters. (This is called a homograph attack.) Less convincing spoofed URLs may add or substitute regularly used characters to the URL and hope that users don't notice.
These fake websites are typically used for criminal activities like phishing. A fake login page with a seemingly legitimate URL can trick a user into submitting their login credentials. Spoofed websites can also be used for hoaxes or pranks.
Email spoofing is when an attacker uses a fake email address with the domain of a legitimate website. This is possible because domain verification is not built into the Simple Mail Transfer Protocol (SMTP), the protocol that email is built on. Email security protocols that were developed more recently, such as DMARC and DKIM, provide greater verification.
Attackers will often use email spoofing in phishing attacks. An attacker will spoof a domain name to convince users that the phishing email is legitimate. An email that seems to come from a company representative is more convincing at first glance than an email from some random domain.
The goal of the phishing attack could be to get users to visit a certain website, to download malware, to open a malicious email attachment, to enter account credentials, or to transfer money to an account the attacker controls.
Email spoofing is often paired with website spoofing, as the email may lead to a spoofed website where users are supposed to enter their username and password for the targeted account.
Domain spoofing in advertising
Ad fraud perpetrators fake the name of websites they own to obscure the real source of their traffic and offer their spoofed domains for bidding by advertisers. Then the display ads end up on an undesirable website instead of the website that advertisers wanted.
How can users protect themselves from domain spoofing?
Be mindful of the source. Is the link from an email? Was the email expected? Unexpected requests and warnings are often from scammers.
Take a close look at the URL. Are there any extra characters that don't belong? Try copy and pasting the URL into a new tab: does it still look the same? (This can detect homograph attacks.)
Make sure there's an SSL certificate. An SSL certificate is a text file that identifies a website and aids in encrypting traffic to and from the website. SSL certificates are usually issued by an external certificate authority, and before issuing one, the certificate authority will verify that the party requesting the certificate actually owns that domain name (although sometimes such verification is fairly minimal). Almost all legitimate websites these days will have an SSL certificate.
Check the SSL certificate, if there is one. Is the domain listed on the SSL certificate the name that one would expect? (To see the SSL certificate in Chrome, click on the padlock in the URL bar, then click "Certificate.") A spoofed website may have a real SSL certificate – but for the spoofed domain name, not for the actual domain name.
Bookmark important websites. Keep an in-browser bookmark of each legitimate website. Clicking on the bookmark, instead of following a link or typing the URL, ensures the correct URL loads each time. For instance, instead of typing "mybank.com" or performing a Google search for the bank's website, create a bookmark for the website.
How can companies stop their domains from being spoofed?
SSL certificate can help make website spoofing more difficult for attackers, as they will then have to register for a spoofed SSL certificate in addition to registering the spoofed domain. (Cloudflare offers free SSL certificates.)
Unfortunately, there isn't a way to stop domain spoofing in email. Companies can add more verification to the emails they send via DMARC, DKIM, and other protocols, but external parties can still send fake emails using their domain without this verification.