By Maya Kushner, Esq. and Marc Emden, Esq.
The idea of concealing your identity to defraud someone else has existed for centuries. But while most of us know better than to answer an email from a “Nigerian prince,” what about that one suspicious email from you co-worker? While misrepresenting your physical identity may require you to possess abilities like Mystique from X-Men, misrepresenting your identity online is so easy — anyone with an internet connection can do it.
Online “spoofing” is an act of masquerading as someone else in order to trick, alarm, or annoy another; to do so is often a crime. Cybercriminals can spoof many aspects of our electronic communications, and arguably the easiest one to spoof is an email address. Surprisingly, there are several websites that exit for this sole purpose. These websites eliminate the need for technological know-how; the criminal needs only to fill in the appropriate fields with the recipient’s email address, the email address the message will appear to be from, and the message itself.
Emdenlaw has handled a number of cyber crime cases, including email spoofing. In one case, Perpetrator “P” attempted to get out Client “C” in trouble for harassment at work. To accomplish this, P used a spoofing website to send a number of harassing emails to himself and made it appear as though they came from C, then complained to management. C became the focus of an internal investigation and relied upon Emdenlaw to exonerate him.
Spoofing an IP address is a more tech-savvy way of making an email look like it came from someone else. IP spoofing is used by criminals to facilitate man-in-the-middle attacks to intercept and even alter legitimate communications between unsuspecting parties. IP spoofing is also used in denial-of-service attacks — where criminals take down a website by flooding it with access requests.
Caller IDs can also be spoofed. In a recent phone scam in Portland, OR, for example, criminals made calls that appeared to come from 911. When the unsuspecting party answered the phone, the scammers would advise that there was a warrant out for the person answering the phone. In order to avoid arrest, scammers advised wiring money at a number they provided. The scam was fairly sophisticated — if the recipient of the call hung up and then pressed redial, the call-back number went to a real 911 operator.
A newer target of spoofing is GPS signals. In a GPS spoofing attack, the criminal broadcasts counterfeit GPS signals to make the receiver estimate its position to be somewhere other than where it actually is. It is hypothesized that Iran’s capture of the U.S. spy drone in 2011 was effected through GPS spoofing. But while neither this nor any other malicious attack has been officially confirmed, we know that GPS spoofing is possible. In 2013, a group of University of Texas students conducted a “proof of concept” attack; the students were invited aboard a private yacht sailing from Monaco to the island of Rhodes to test their GPS spoofing device — they were successful in making the yacht veer off its intended course without alerting any navigation alarms.
Spoofing presents unique challenges in the legal field. First, technology usually evolves much faster than the law. For example, while Maryland already criminalized many types of spoofing, such as email spoofing and IP spoofing, the legislature has not yet considered GPS spoofing at all. Second, perpetrators are difficult to identify — as the main purpose of a spoofing attack is to hide the identity of the criminal. Also, many times the technological tools used to carry out the attack are located outside of the U.S. For example, in an email spoofing attack, police can conduct a forensic analysis of the perpetrator’s laptop to prove that it was used in the attack. However, police will not be able to go directly after and shut down the website that was used to facilitate that attack if it is hosted, say, in Europe.
Ultimately, as spoofing becomes more prevalent, more and more cases will require expert testimony. As we discussed in our article on the use of social media communications as evidence, courts are wrestling with reliable ways to authenticate a Tweet or a Facebook message before allowing the message to be used as evidence. In some cases courts have found it sufficient that the Tweet came from the name or Twitter handle used by the defendant. However, with just how easy it is to spoof sender information, this authentication standard will likely change in future cases.