Spoofing: funny name, not so funny consequences

  • Published
  • By Tech. Sgt. Stacy Fowler
  • 1st Special Operations Wing Public Affairs
You're cruising Destin, Fla., looking for a place to eat, and get a text from your mom/girlfriend/husband asking you to check out this "awesome" link. So you click it, and there's nothing...which is a little odd.

What do you do? Most would ignore it or shrug it off as a "glitch." Some would try again and a few would text the person back about it - just to find out that the person you thought was texting wasn't the person who sent the text.

Congratulations, you've just been "spoofed!"

If you're just a little unlucky, it was downloading a virus. If you're even less lucky, you now have one of a hundred different types of malware that is siphoning information off your phone. That picture of you that you thought was just between you and your significant other, or the contact list of friends and family is now in someone else's hands.

Spoofing occurs when a person uses a web program or service to send another person an e-mail, text or call with the "from" line or caller ID saying the message is from a trusted friend or phone number. Many times it is for malicious purposes, and can lead to even bigger problems.

Think it can't happen? Think again, said Master Sgt. Andrew Maresh, 1st Special Operations Wing Information Operations Operations Security program manager. It's happening all the time and most people don't even know it's happened until it's too late.

"There is a growing problem about people being exploited by the 'spoofing' of e-mails, text messages, and phone calls," Maresh said. "This is a very simple thing to do and takes only seconds to accomplish."

Think it's illegal? In less than five minutes, Maresh visited two websites that flaunt their abilities to "spoof" numbers and websites, and/or install "tracking" software.

"Legal or illegal, these programs and companies are out there selling this stuff and nobody is shutting them down," Maresh said. "And it's not just your personal phones or computers at risk - government systems and sites get spoofed all the time."

This modern "battlefield," according to a notice sent to Airmen at Hurlburt Field, Fla., includes both geographic locations as well as the computers at home.  Spoofing has hit the Air Force Portal, myPay and countless corporate websites, not to mention those "official use" smartphones, blackberries and cell phones that many military members carry. And many times it's a two-pronged attack: they steal personal information or Common Access Card credentials, and install malware into a government system.

"If I were to go to one of these spoofed sites and use my CAC, that site can then use my information to gain access to any NIPR system," Maresh said. "All it takes is just one person to have their CAC credentials stolen, and the door is wide open."

It also opens the door for other things like identity theft, or "Facebook stalking," which can turn dangerous, Maresh said.

"If you get an email or text from your spouse, parent or best buddy asking you to meet them somewhere, and you have no clue why but go anyway - the person who meets you might not be the person you thought it was going to be," he said.

So how can you fight spoofing? One of the first options is to trust, but verify. Have safe words or phrases for texts, or send a quick text back if you get something on your phone that seems off. For websites, especially military websites like Air Force Portal or myPay, ensure there aren't any extra words or misspellings in the site name. And secure and protect recall rosters and phone listings.

"The only way to defend against this is to educate our fellow Airmen and family members," Maresh said. "Please don't post your personal information, such as your phone number or e-mail address, on the web. Please remember awareness is our best defense against this threat."

For more information on spoofing and its dangers, contact the 1st SOW Information Operations office at 884-5829.