Dictionary

Masquerade Attack

What Is a Masquerade Attack?

A masquerade attack is any cyber attack that involves the use of a manipulated, spoofed or stolen user identifier – device, digital signature, network address, certificate, etc. – to fool digital infrastructure and gain access to systems, or authorization to conduct certain privileged actions. Masquerade attacks can be used to perpetuate financial crime, compromise corporate systems, or access sensitive data.

This type of cyberattack can be carried out from either outside or inside a network. Some masquerade attacks are examples of insider threats. These involve dishonest employees gaining access to systems using other users’ credentials, or even exploiting devices that are left logged onto the system.

External masquerade attacks, on the other hand, can make use of another variety of techniques, such as:

  • stolen or compromised logins
  • IP address spoofing to masquerade as a legitimate and authenticated device
  • phishing to gain access to sufficient personal information to launch an attack

Usually, masquerade attacks aim to compromise business IT systems, but individuals can also be targeted.

There are 2,200 online attacks estimated to take place every day, and a significant proportion meets the criteria for a masquerade attack.

What’s the Difference Between Masquerade Attacks and Replay Attacks?

The two have some similarities, but they are fundamentally different. Masquerade attacks always involve impersonation and tend to require the use of things like stolen passwords and authorization tokens, fake servers and spoofed IP addresses. Replay attacks involve the interception of data that’s in transit. For example, a hacker may use a man-in-the-middle attack to intercept legitimate communications.

However, there’s considerable crossover between masquerade attacks and replay attacks. Depending on how it is conducted, an account takeover incident can be either, or involve elements of both.

How Do Masquerade Attacks Work?

A typical masquerade attack plays out as follows:

  1. The criminal identifies the target and sets up the means to access it – this could be a falsified certificate, data from a keylogger, spoofed device, etc. Sometimes, this can be usernames and passwords, IP addresses, or any other information that allows them to impersonate a legitimate user or network device.
  2. They put in place OPSEC – tools and other strategies to cover their tracks and evade detection.
  3. They use this information to gain unauthorized access to systems and commit crimes – anything from rerouting money to downloading sensitive data.
  4. They may also use this access they have to perpetuate further crimes. They could install malware or ransomware, for example.
  5. In most cases, they will attempt to leave undetected but might leave a backdoor in the system so they can more easily re-enter should they want to.

Risks of Masquerade Attacks

The consequences of masquerade attacks for companies vary depending on the attacker, method and system, but include:

  • financial loss
  • business interruption and downtime
  • exposure of sensitive data
  • reputational damage
  • theft of intellectual property
  • compliance breaches

Examples of Masquerade Attacks

Here are three real-life examples of masquerade attacks:

Operation Aurora in 2010 used a phishing campaign against large US companies including Yahoo, Adobe and Google. In total, 34 companies were targeted. The attack was believed to target trade secrets and intellectual property – but was also alleged to be intended to facilitate access to the Gmail accounts of Chinese human rights activists.

The high-profile Equifax Data Breach of 2017 resulted in the compromise of hundreds of millions of people’s personal data. While the attack was believed to originate from a vulnerable online complaint portal, a masquerade attack was involved further along the process. The fraudsters managed to move further into Equifax’s systems by accessing legitimate passwords that were saved in plaintext format.

Operation ShadowHammer was a sophisticated form of masquerade attack targeting PC manufacturer ASUS. It compromised the company’s Live Update Utility, with over 57,000 users believed to have installed a version with a backdoor in place.

It’s worth noting that, while these are all large-scale examples of masquerade attacks, logging into an admin account by using a compromised password still qualifies as a form of masquerade attack.

Why Are Masquerade Attacks Dangerous?

Masquerade attacks are dangerous because criminals who successfully impersonate genuine users and devices are given a solid foundation to launch all kinds of manipulation, theft and exploits.

Masquerade attacks that go undetected for a prolonged time are particularly dangerous as they allow bad actors the space to work their way further into systems and networks.

How to Protect Against Masquerade Attacks

Steps to mitigate and protect against masquerade attacks include:

  • Behavioral analysis: This can examine patterns of user behavior and raise a red flag when systems are being used in ways that don’t conform to what’s expected.
  • Device/browser fingerprinting: These techniques can alert system admins when users do not appear to be connecting from expected browsers and devices. They act as an extra line of defense when cybercriminals have gained access to legitimate login details.
  • Endpoint protection: Cybersecurity and anti-malware software is an important precaution against masquerade attacks, especially those that set out to exploit software vulnerabilities and impersonate legitimate devices.
  • User education: USecure estimates that human error plays a part in 95% of security breaches. Good practice around basics like password security and detecting phishing attempts can protect against many attacks.
  • Multifactor authentication: The use of MFA can prevent hackers from accessing systems, even if credentials have been compromised.