The Address Resolution Protocol (ARP) is a communications protocol for resolving Internet layer addresses into data link layer addresses. When another host's IP address is known, and its MAC address is needed, a broadcast packet is sent out on the local network. This is the case, for example when both devices - the sender and the receiver - reside in a corporate network where layer 2 switches do the routing instead of layer 3 routers. This kind of a broadcast packet is known as an ARP request, which can be demonstrated as a question "who has this <IP-address>?" The host that is using the IP-address then responds with an ARP reply, which contains the hosts MAC address - "I have that IP. My name is <MAC-address>."
There is no method in the ARP protocol by which a host can authenticate the peer from which the packet originated. Furthermore, hosts will automatically cache any ARP replies they receive, even if they have not requested them. Even ARP entries which have not yet expired will be overwritten when a new ARP reply packet is received. This behavior creates the vulnerability which allows ARP spoofing to occur.
When attacker does ARP-spoofing, he will usually reply to the ARP requests that are directed to the default gateway. Simply, he will claim that his IP is that of the default gateways and then reply with his own MAC-address. So in ARP spoofing the MAC address is not actually spoofed. The attacker does not change his MAC-address into the default gateways MAC-address. Instead, when a device in the network asks "who has this <default GWs IP-address>?", the attacker responds with his own MAC-address. Now the traffic meant for the default gateway will be directed to the attacker. Similarly, the attacker lies to the default gateway that he possesses the IP of the original sender. Then he may choose to inspect the packets and forward the traffic in between the original sender and the actual default gateway (Man-In-The-Middle attack). He could also modify the data before forwarding it, or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.
This behavior is illustrated in the two pictures below. Because the attacker sends his ARP reply after the default gateway has sent his, that information will be updated to the ARP cache and used for the transmission of the data.