A large and lucrative exploit area involves pretending to be someone else. For example, if a hacker can break into one’s email account, they can fake being the account holder. The attacker can get in touch with everyone in the owner’s contact list, or identified in previous emails, and try to gain information or trust to cause trouble.
Websites are sometimes spoofed as an aid to gaining trust, information and/or money from victims. It is easy to copy any website on the Internet, and if it is put on the Web with a similar and legitimate sounding address (the Uniform Resource Locator, or URL), it can be a way of convincing a potential victim that the hacker is actually the original owner. The original website owner may be completely unaware of this, and frankly there is little they can do to prevent it.
There are countless other ways of pretending to be somebody else on the Internet, owing to its inherently anonymous nature. There are few visible or auditory clues of authenticity, after all, but because we are so used to doing ordinary tasks on the Internet, we are not always alert to the fact that we might be dealing with an imposter.
One of the features of this kind of attack is that the person being spoofed may have no idea it has happened and has no fault whatsoever. For instance, if an email account is hacked, the criminal might use people in the victim’s address book to impersonate, just because they are known and will be recognized as trustworthy. Simply because an obvious spam message arrives from Sheila Morgan does not mean Sheila’s computer or accounts have been compromised. Sheila might just be an innocent person in someone else’s hacked phone book.
For more information on Spoofing, see Spoofing Sites or Contacts later in this module.