A cloning attack refers to a type of threat in which a trusted resource is copied and used by an attacker. The cloned resource might be a cryptographically signed email, social media account, or any content that boosts trust in the attacker using a stolen reputation.
For example, we could copy the content of a popular social media page on a new account using a similar username. Because we pose as the original page, how would anyone know that we’re not the original account? Twitter protects against cloning like this with its coveted Blue Checkmark feature for verified accounts, and we’ll explore other defenses. However, most services provide no protection at all.
In this article, we’ll start out by looking at the most prominent forms of cloning attacks. Then, we’ll do our own social media cloning attack to give you a hands-on look at how these attacks work. Finally, we’ll explore ways to block these attacks.
Variations of Clone Attack
A cloning attack isn’t a specific threat. Rather it’s an umbrella term for a variety of attacks. Before we show you how to do a cloning attack, let’s look at the types of cloning attacks that exist.
Social media cloning
What if an attacker made an exact copy of your social media profile, even a similar username. How would your friends, family, and business partners know which account was the real you? If the attack is smooth, they won’t even realize the clone is a different account. Thus, they’d have no reason to verify which one is real. So they’d assume that whichever account they interact with is legitimate.
Later in this article, we’ll guide you through a real attack like this by forging an actual social media page for a Fortune 500 company.
Modern email protects mail using cryptography, called DKIM. But using a kind of cloning called a Replay Attack, bad guys can pass DKIM while changing key info in a fraudulent email. For example, they can change a Bitcoin address and send the email from a fake domain, as part of a cryptojacking attack.
Preventing this is difficult. You’ll want to set up DMARC and SPF in addition to DKIM. These are complex protocols to deploy manually. However, your mail provider should offer mechanisms for doing most of the work for you. If you use Gmail, for example, you get all three of these for free. The same is also true by default for Outlook, Protonmail, and most other big providers.
Credit card cloning
Attackers “skim” credit card readers to steal victim data, then create new cards that have that data on them. Thus, they can use the forged card as though it were the original. There’s no solid way to prevent this, just old fashioned tricks like having ATMs clearly visible so thieves can’t easily add skimmers, and ID theft protection at your bank.
RFID cards use magnetic information to open doors, show identity, and more. However, tools exist to read and copy such cards just by standing near a victim.
Thus, RFID cards are convenient, but not secure. Even just offering a smart phone app that employees can use to verify identity is better. Of course, thieves can also clone traditional, physical keys using locksmithing and lock picking. However, stealing RFID is much easier because criminals can do it automatically by just standing in your proximity.
Launching an attack
A cloning attack is easy to launch. But which type of attack So let’s try it out! First, we’ll find a target account we want to spoof. Maybe this one?
Although it’s verified, many users don’t think to check that. Instead, most users look at how many followers you have to decide if you’re “legit” or not. Still, no need to worry – we have a trick to get followers, too.
First, let’s make an account that looks like a legitimate page for our target. So we’ll copy the same posts over to our account and follow the same pages they follow. But we still don’t have any followers…
What to do? Easy peasy, simply buy them. I don’t want to promote any sketchy services here. However, some quick research into black hat marketing sites works. Finally, after paying $30, let’s look again:
Okay, not bad! We’re not quite as high in followers as the original account, but that’s enough for a victim to trust us! From here, we can scam users via Angler Phishing, by offering discounts if they give us credentials and other private info. That’s not all, really the sky is the limit from here.
Defending against a cloning attack
It’s possible to stop a cloning attack. The trick is proving that content really comes from an authentic source. For email, you can use the SPF protocol in addition to DKIM to show that an email really comes from an authorized server. But how would you defend against the attack we did in the previous section?
By allowing all users to verify their identity using legal ID. By the way, this should be opt-in for privacy. Instead of Twitter’s Blue Checkmark, which they only give to elite users, anyone should have the right to verify their identity to prevent cloning.
In other words, to prevent cloning you need verification of identity outside of the content itself.
So why don’t all sites do this? Because verifying ID is costly. You could outsource the work to Google or Microsoft by relying on Single Sign On (SSO), but they don’t manually verify legal identity either.
Are there any other options? One thing you can do is write code to detect accounts that look suspiciously similar, and flag them for manual review. But then you need the time and human resources to act on these detections.
There’s no full proof way to absolutely stop cloning. Cloning is fundamentally a social problem about identity, so a purely technical solution is never a perfect fit. However, some of these strategies can make attackers have a harder time.