Spoofing is, generally, the act of one person pretending to be someone else, usually in an effort to scam someone or otherwise commit either fraudulent or fairly malicious acts. The word “spoof” is often used in entertainment to mean a type of media that uses imitation to parody another program or work of entertainment. In the sense that it is used in security and fraud, however, spoofing is used because a person is using imitation to appear to be another person or service and gain sensitive information or otherwise maintain an advantage over the unwitting victim.
Different types of spoofing include those involving caller ID, email, and uniform resource locators (URLs). Caller ID spoofing involves the use of a computer program to create an incorrect identity and phone number that appears on a caller ID. The development of caller ID allowed people to readily see who was calling without having to answer the phone. Caller ID spoofing allows a person to make a phone call appear as though it is coming from someone or somewhere else. Programs for caller ID spoofing allow a user to enter any name and phone number he or she wants and have that come up on the display of the receiving person’s caller ID.
Email spoofing is the act of sending an email that shows an incorrect and inaccurate “From:” line. This means that someone receiving an email may believe it has come from a person or service he or she knows, when really the email may originate from somewhere else. These types of email spoofs are often used as part of a “phishing” scheme that also typically involves some time of URL spoofing as well.
URL spoofing is when a fraudulent, often malicious, website is set up that appears to be a different, legitimate website to obtain sensitive information. The false websites can sometimes be used to install viruses or Trojans into a user’s computer, but more often are used to receive information from a user. These types of spoofing can be used to launch a more elaborate attack.
For example, an attacker could send a spoof email requesting immediate action from a person to ensure the security of his or her bank account. The person then follows a link in the email that leads to a spoof URL that appears to be the legitimate website for the bank, but is not. Once at the spoofed URL, the user may then type in his username and password to access to his account, at which time the website has recorded the private information, and will then often report an error and redirect the user back to the legitimate bank website. The user has now provided the attacker with his username and password, which the attacker can then use for malicious purposes, such as identity theft and bank fraud.