History of Phishing: Then and Now

 Last year (2016) turned out to be a banner year for phishing. According to APWG (Anti-Phishing Working Group), the total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015. In the fourth quarter of 2016, APWG saw an average of 92,564 phishing attacks per month, an increase of 5,753% over 12 years. If that doesn’t make your eyes pop out of your skull, then there's probably little that shocks you. Losses from phishing exploits were estimated to be as high as $5 billion in a report released in early 2014 by Microsoft. In light of such jaw-dropping data it’s worth taking a look at phishing: its origins, its various forms, and why it remains such an effective strategy for the bad guys.Phishing celebrated its 20^th birthday last year. The practice got its start on AOL when a group of hackers and other ne’er do wells banded together to create a tool for randomly generating credit card numbers which they in turn used to create phony AOL accounts. They would then proceed to spam other AOL members with phishing attempts in order to trick users into revealing PII such as passwords, birth dates, credit card numbers, and social security numbers. The end goal was to more easily steal AOL accounts from which they could then send spam or launch further phishing attacks.

Just a guppy

These early hackers and pirates were part of a warez community that relished stealing software, games, and whatever else wasn't nailed down. AOL eventually thwarted the group’s credit card generators in 1995, but like anything to do with hackers and hacking, it proved to be only a minor setup back. They quickly moved onto what has become the hallmark of phishing: impersonation of trusted organizations in order to con PII from unsuspecting victims. The word “phishing” had its genesis in a Usenet group for AOL and has been credited to well-known spammer and hacker, Khan C Smith. Imagine putting those credentials and accomplishment on a LinkedIn profile. The first recorded mention of the term was in the AOLHell hacking tool, which included a function for assisting in the theft of passwords and financial info belonging to AOL users.AOL attempted to shut down the nascent phishing movement by detecting words in its chat rooms discussing the practice and then suspending accounts of those using trigger words. Undeterred, individuals involved in hacking and phishing simply substituted the character string ‘<><’ in place of any word referring to stolen credit cards, accounts, or other illegal activity. The string is ubiquitous in all HTML pages and wouldn’t raise any flags by AOL's detection filter. It also looked a lot like the symbol for a “fish.”The unique spelling evolved due to the association with “phreaking” which had its origins dating all the way back to the Yippie movement of the 1960s. Prior to the advent of personal computers and long before the internet, phone phreaks labored long and hard to scam Ma Bell for free phone calls. The late Yippie leader, Abbie Hoffman, described the practice in his book amusingly titled, “Steal This Book.” The notion that everything should be free also predates the founding of the Internet and AOL.

Going off to spawn

Innovation in phishing hardly stopped with scamming AOL users -- as easy and lucrative as that remains even today. Sights were set on higher-valued targets. This took the form of going after financial info such as bank account numbers and SSNs. Victims received emails warning them that they needed to urgently update their billing information in order to keep their accounts active. Hackers quickly realized that they had struck gold with this tactic. Not only could they steal a victim’s password, but they could also abscond with credit card numbers, bank account info, and even the Holy Grail: a SSN. It was almost too easy!The core approach to phishing is remarkably simple and consistent across all its various forms: gain a target’s trust (con them) by posing as genuine communication from a trusted source in order to extract PII and/or online credentials and financial info. The most common tactic is to send emails with convincing verbiage stating that the target must click on a link in order to take some form of urgent action. The links either go to a phony website where the victim is disgorged of PII or a “man in the middle” attack is deployed where the info is extracted prior to sending them on to a legitimate website. The victim is none the wiser until the eventual fallout of a drained back account or account lockout occurs. The purloined info is either used directly by the thieves for their own financial gain or sold off on the Dark Web. Citibank customers were famously victims of a MITM attack in 2006.

A Phish by any other name still stinks

In some cases, adding insult and further injury to the initial injury, is achieved by installing malware on the victim’s computer to keep the good times rolling right along. The malware then either spams contacts in the victim’s address book with more phishing messages or turns their computer into a zombie to be sold off to a botnet. Other variations of phishing consist of “spear phishing” and “whaling.” The former is where specific individuals are targeted with social engineering attacks using personally identifying details making the scam all that much more convincing. Whaling moves spear phishing up the food chain using the same tactics against higher-valued targets such as CEOs and executives in turn for higher-valued rewards.Vishing and smishing consist of simply moving the tactic over to voice and SMS channels respectively. In-person exploits exist for the more brazen attacker where they disguise themselves as repairmen or someone else with a legitimate reason to be on premises and asking probing questions. Dean Pompilio discusses this tactic in his excellent “Cyber Threat Intelligence” course right here on Cybrary.it

Multiplying the loaves and phishes

Phishing has become a highly-organized and even commoditized industry. Phishing kits consisting of everything an enterprising hacker could possibly need to get up and running are available for purchase online. The creativity and technical expertise required of phishing pioneers during the 1990s is no longer a barrier to entry. In fact, the entire operation can now be outsourced. In addition, the countermeasures put in place by spam filters and anti-phishing filters to detect and thwart phishing exploits are equipped with features to evade these filters. A cat and mouse game if there ever was one!But things don’t stop there. The infrastructure for hosting phishing attacks can all be rented from the web servers to host phony websites that steal PII to servers to send the phishing emails. Need a list of email addresses to spam? Check, we’ve got that. How about a way to turn those stolen credit card numbers and bank account and other financial info into cash? No problem, let us worry about that for you.It should come as little surprise that phishing is still big business in the cybercriminal community. It just works and keeps on working. Humans are and will always be the weakest link in any cybersecurity environment. The best defense begins in your own house. Spam and anti-phishing filters, as unreliable as they may be, are your first line of defense. From there, it’s a matter of common sense coupled with a heaping helping of suspicion. Treat all forms of contact with suspicion whether it’s clicking on a link in an email or being asked for personal information over the phone, via text message, or in-person. That goes double if it's the first date.