In the stock market, for example, spoofing refers to the practice of some traders of placing a buy order for a large number of shares they already own and then canceling it seconds later. The huge buy order will cause the price of the stock to jump so it appears to be a “hot” stock, attracting buyers. The trader who placed the spoof order can then sell his stock at a higher price than its true value.

In the world of computers, there are so many types of spoofing in use that it's hard to know what anyone means by the term without knowing the context in which it is practiced. For example, spoofing can be used to fool search engines into indexing one site while actually presenting a different site to the end user, or it can be used to disguise the identity of the real sender of an e-mail, or to substitute a hacker's site for a legitimate URL for the purpose of infecting the visitor with a virus or extracting critical information such as credit card numbers.

Spoofing emails

One of the simplest forms of spoofing is to send an e-mail that purports to come from one source when it actually comes from another. Motives for sending such emails can range from a simple desire to send an anonymous message to someone that can't be traced (many spammers use some form of this type of spoof), to the more sinister practice of sending HTML messages that look exactly like Security Updates from Microsoft but which bear viruses (I've received at least twenty of these in the last week, all aptly caught and sanitized by my virus software) or service messages from a bank or credit card company asking the recipient to go to a certain website to update credit information, with the intent of capturing credit card numbers and other critical financial information.

Often these spoofs are naively implemented, since they can be quickly identified as bogus by simply looking at the return address on the e-mail. The bogus Microsoft Security Updates come from such addresses as ehihhgvtohwwo-zcwtw@support.com, rmmpabftycxyvc@bulletin.net, or zjbmbkjbrssbm-umgilvie@newsletters.ms.com, not from Microsoft, although another bogus e-mail, received at the very moment I am writing this paragraph, purports to be from technet.com. Valid Security Bulletins from Microsoft have long numeric usernames and come from Newsletters.Microsoft.com. A recent example from a legitimate Microsoft Security Bulletin: 0_46013_95FA31E1-9135-974F-8ACC-6D0625156317_US@Newsletters.Microsoft.com.

Bogus service messages from credit card companies and banks can usually be spotted in the same way -- a recent scam using Citibank stationery did not have a Citibank return address.

The bogus Security Bulletins have worm-bearing attachments activated by clicking on an “Install patch” button in the body of the e-mail. The worm is reported to be the Swen worm, also variously known as W32/Swen@MM, Gibe, and W32/Gibe-F, which attempts to steal account information, usernames, and passwords. The worm can auto-execute on PCs running Windows if users have not kept up on patches to the system (more about patches in the second column of this series on spoofing).

The FBI issued a press release in July of this year saying that these types of spoofs are on the increase, and that they pose a major threat. Jana Monroe, Assistant Director of the FBI's Cyber Division, is quoted as saying, "Bogus e-mails that try to trick customers into giving out personal information are the hottest, and most troubling, new scam on the Internet." My own experience confirms this alarm, as I have received countless numbers of such e-mails over the last two months.

The types of bogus messages I have described above are usually easy to spot, if the user is alert, by simply recognizing that the return address is not legitimate. But if the user gets lured into clicking on a link in one of the service type messages, they will almost certainly end up on a “spoofed” website where, if they enter the information requested, they may become the victims of credit card fraud, identify theft, and/or infection with a virus through their web browser. Now things get complicated, and how spoofed websites are created will be the subject of my next column, along with some alarms about supposedly “secure” websites.

The only defense

Perhaps someone is writing a spam filter, as we speak, that scans messages containing letterheads of legitimate businesses and then does a “trace” to determine if they are actually from the companies they say they are from. But as of now, spam filters are far too primitive to identify such scams. Even if you have topnotch, up-to-date virus protection software, and even if you have all the latest patches for Microsoft products, you are still not protected.

Here's why: We have laws that provide for the arrest and punishment of scam artists. But such laws don't prevent a gullible 'mark' from handing over their life savings to a charming, well-dressed, articulate person claiming to be a stock market insider with inside information that will allow the mark to make a killing in the stock market. That is, the laws are not preventive; they apply only after the fact. Most of us would agree that it's up to individuals to preemptively protect themselves by checking out the credentials of any person who has offered them something or asked for highly sensitive private information.

Visitors to iAppliance Web are likely to be sophisticated computer users who are not very gullible. But you may have family members, especially children, teens, aging parents, or others who are inexperienced computer users and relatively naïve about computer crime. Even people on your staff at work may be gullible. You need to educate such people in your life that identity theft and credit card fraud is big business that involves organized crime. They employ hackers whose business it is to stay a jump or two ahead of whatever protection schemes security companies come up with.

Unsophisticated computer users need to be alerted that any e-mail asking you to update financial information should be viewed with suspicion. The first thing to look at is the return address -- usually a dead giveaway! But even if the return address appears legitimate, the company should be contacted directly by telephone to confirm the legitimacy of the communication. Security updates and patches from Microsoft come from the Microsoft website -- even if the e-mail looks legitimate, go to Microsoft's site first to check it out (http://www.microsoft.com/technet/).

Next column: How hackers steal encrypted web server keys, spoof websites, and more.

In addition to being a contributing editor for iAppliance Web, Toni McConnel is a freelance writer specializing in ghosting contributed articles for high-tech magazines. You can contact her at Toni@NetcentricCommunity.net. Comments on this column are welcome.

For more information about topics, issues and technologies mentioned in this story go to the flashing icon in the upper left corner on any page or go to  the iAppliance Web Views page and call up the associatively-linked Java/XML-based Web map of the iApplianceWeb site.

Enter the appropriate key word, product or company name to list instantly every news and product story, product review and product database entry relating to the topic since the beginning of the 2002.