Happy Birthday Phishing!
The first recorded use of the term Phishing is from a message board called AOHell in 1996. These were the early days of the commercial internet, the days of Netscape Navigator, Mosaic and 28.8kbps modems with their connecting ‘screech’, instantly recognisable to anyone born in before the early 1990s. (The eye watering speeds of the 56k modem would not be seen until late 1996.) Windows 95 was the cutting edge of consumer technology and Google was still another few years away. This was uncharted territory, a new frontier, and privacy and security simply did not concern most users.
The term ‘Phishing’ stems from the fact that the ‘<><’ prefix is common in html code and therefore could not be detected by early anti-counterfeiting technology. It also happens to look a little bit like a fish so the name stuck as a catch all for early illegal activity. The earliest online hackers were known as ‘Phreaks’ or ‘Phreakers’ so the ‘ph’ was adopted and the term ‘Phishing’ was born. These people were perfectly positioned to take advantage of unsuspecting users by stealing their login details and using them, alongside AI generated credit card numbers, to create new accounts.
After AOL patched its security measures, this practice almost stopped overnight and the methods moved to impersonation emails, where a user would receive an official looking email asking users to verify their user credentials, such as date of birth and password. The reason that you might recognise this approach is because such methods are still being used today. This is simply down to the fact that they still work, even after 25 years have passed. Intelligent people are still falling for the same tricks.
The positive here is that awareness and network defences have also improved during that time. However, the general consensus still considers the best protection to be training employees in how to recognise the signs and tactics of a phishing attack. To build what we call ‘A Human Firewall’. The methods have moved from classroom training to e-module training or workshops but Zacco’s online learning and one to one preparation continue to challenge our client’s perceptions, often demonstrating to employees just how easy it is to fall for such tactics. Even for those who might consider themselves IT ‘savvy’. Similarly, our new eSecure Learning tool offers extensive training on the most common threats to information security in step by step guides, easy to follow films and follow up questions allowing employees to understand and current risks at their own pace.
Now, to 20th birthdays. As Phishing techniques evolved, so too did the targets. The early eCommerce platforms were finding their way in the mid to late 90s and online payment systems were slowly becoming a potentially very profitable target. The first recorded commercial Phishing attack was on a website called e-gold in June of 2001, although it should be noted that this attack is widely considered to have failed. The platform e-gold was one of the early industry leaders in payment systems, allowing user to purchase gold and other precious metals and then transfer their ‘value’ to other e-gold accounts. The attack targeted e-gold members through its mailing list with requests for credentials and other information and, although most members did not fall for the fraud, it created the blueprint for future targeted attacks. By 2003, hackers were registering new domains that resembled legitimate sites, changing the letter ‘o’ to the numerical ‘0’ for example, and attempting to redirect users to enter their details in fake sites, hoping that they would not notice such subtle changes.
So commercial phishing turns 20 this month and it is still considered one of the most prominent forms of cyber attack, which demonstrates just how profitable it continues to be. While the techniques may have expanded and evolved over time, the basic premise and blueprints remain the same. Tricking unsuspecting users into believing that they are sharing their information with a genuine source. This reinforces the importance of employee training and awareness campaigns as the single most effective means of preventing such attacks. The simple fact is your employees are still one of your strongest lines of defence, the ‘Human Firewall’ we mentioned previously.
Generic mass produced ‘spoof emails remain the most common tactic (Just have a quick look in your spam folder if you have any doubt) but the new forms of phishing are quickly establishing themselves as successful. Fake emails often contains links to legitimate looking sites such as your office VPN, Applications Suite and even manipulated search results that direct users to infected pages. Vendor email compromise has also emerged in recent years where the infected system of an organisation is used to target that organisation’s customers, either to request fake payments or user credentials, or in some cases to further spread an infection to their customer base.
Emails can sometimes contain malware, ransomware and other executable files that look harmless but once activated can wreak havoc on a company’s network infrastructure. Similarly, malicious script can be hidden inside other code, such as inside an image file, which can be activated later, reducing the chance that it is detected by traditional antivirus solutions. A recent evolution of this is with business voicemail messages, where a missed call function often sends a recording of a voice message to the user’s email address. Attackers create a spoof voice message that looks identical to one that would normally be received and users click on the file believing it to be a voice message. In some cases, they even hear the message while malware secretly activates in the background, making it unlikely that the victim will even notice something has happened.
While some attacks take a scattered approach, others are becoming far more sophisticated and involve meticulous planning. These are continuously evaluated and refined at each stage of the attack and are often only identified once the damage has already been done. Some spoof communications are even moving offline to include phone calls (known as ‘Vishing’ for Voice Phishing) where an attacker will follow up their email with a phone call, often using an urgent and disorienting approach, to extract information or attempt to convince you further. ‘Smishing’ is also on the rise where victims receive a text message contain malicious links to websites containing malware. Others you might recognise include ‘Whale’ Phishing, where senior employees are targeted in an attempt to gain larger sums and ‘Spear’ Phishing where a user’s behaviour is observed and studied, sometimes for months, before the attacker reaches out with a personalised and highly targeted attack. Such attacks often involve ongoing communication, building trust and building rapport before eventually moving on to a request for information or a transfer of funds.
So as you can see, the damage associated with phishing continues to represent a considerable risk to both companies and individuals. Whether it is intercepting or redirecting monetary requests or staling data and auctioning it off to the highest bidder, Phishing is still incredibly profitable. Many attackers now run their organisations in the same way you might see a normal business being run with early payment incentive schemes and KPIs or bonuses for their ‘employees’. There have even been recorded cases of published Corporate Social Responsibility policies, with some attackers claiming they donate part of their profits to charity or promising not to target healthcare institutions during the Pandemic. The tactics and methods are continuously evolving and the attacks are getting smarter so, in short, the threat that Phishing represents is unlikely to disappear soon.
Your employees and colleagues continue to be one of your strongest lines of defence, give them the tools they need to defend your interests effectively.
Repeated exposure to phishing attempts will give your employees the training and confidence they need to identify real attacks. The tool has been developed using real world scenarios and has been designed to be as realistic as possible in demonstrating the tactics currently in use by attackers worldwide. Each simulated campaign gathers extensive insight into which type of attack has been more effective as well as offering insight into what risks are associated with each approach.
If you have any questions about any of the topics within this article, or if you would be interested in finding out more about how our eSecure Learning or VPhish Pro tools can help your organisation to stay one step ahead, then please reach out to Zacco Digital Trust. We would welcome the opportunity to talk through your needs and identify the best way to protect, secure and defend your private data.
Patrick Thorén
Director Digital Trust, Director Marketing and CommunicationCopenhagen
In Zacco since 2016