As widespread and well-known as phishing is now, it hasn’t been around forever. Although the practice originated sometime around the year 1995, these types of scams were not commonly known by everyday people until nearly ten years later.
That doesn’t mean that phishing was not a force to be reckoned with right from the start. In order to avoid falling prey to such scams yourself, it is helpful to have a basic understanding of the history behind them.
Phishing scams use spoofed emails and websites as lures to prompt people to voluntarily hand over sensitive information. It isn’t surprising, then, that the term “phishing” is commonly used to describe these ploys. There is also a good reason for the use of “ph” in place of the “f” in the spelling of the term. Some of the earliest hackers were known as phreaks. Phreaking refers to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely linked. The “ph” spelling was used to link phishing scams with these underground communities.
According to Internet records, the first time that the term “phishing” was used and recorded was on January 2, 1996. The mention occurred in a Usenet newsgroup called AOHell. It is fitting that it was made there too; America Online is where the first rumblings of what would become a major criminal issue would take place.
Back when America Online (AOL) was the number-one provider of Internet access, millions of people logged on to the service each day. Its popularity made it a natural choice for those who had less than pure motives. From the beginning, hackers and those who traded pirated software used the service to communicate with one another. This community was referred to as the warez community. It was this community that eventually made the first moves to conduct phishing attacks.
The first way in which phishers conducted attacks was by stealing users' passwords and using algorithms to create randomized credit card numbers. While lucky hits were few and far between, they struck the jackpot often enough to cause a lot of damage. The random credit card numbers were used to open AOL accounts. Those accounts were then used to spam other users and for a wide range of other things. Special programs like AOHell were used to simplify the process. This practice was put to an end by AOL in 1995, when the company created security measures to prevent the successful use of randomly generated credit card numbers.
With their random credit card number generating racket shut down, phishers created what would become a very common and enduring set of techniques. Through the AOL instant messenger and email systems, they would send messages to users while posing as AOL employees.
Those messages would request users to verify their accounts or to confirm their billing information. More often than not, people fell for the ruse; after all, nothing like it had ever been done before. The problem intensified when phishers set up AIM accounts through the Internet; such accounts could not be “punished” by the AOL TOS department. Eventually, AOL was forced to include warnings on its email and instant messenger clients to keep people from providing sensitive information through such methods.
In many ways, phishing hasn’t changed a lot since its AOL heyday. In 2001, however, phishers turned their attention to online payment systems. Although the first attack, which was on E-Gold in June 2001, was not considered to be successful, it planted an important seed. In late 2003, phishers registered dozens of domains that looked like legitimate sites like eBay and PayPal if you weren't paying attention. They used email worm programs to send out spoofed emails to PayPal customers. Those customers were led to spoofed sites and asked to update their credit card details and other identifying information.
By the beginning of 2004, phishers were riding a huge wave of success that included attacks on banking sites and their customers. Popup windows were used to acquire sensitive information from victims. Between May 2004 and May 2005, about 1.2 million users in the U.S. suffer losses caused by phishing, totaling approximately $929 million. Organizations lose about $2 billion per year to phishing.
Phishing is officially recognized as a fully organized part of the black market. Specialized software emerges on a global scale that can handle phishing payments, which in turn outsources a huge risk. The software is implemented into phishing campaigns by organized crime gangs.
In late 2008, Bitcoin and other cryptocurrencies are launched. This allows transactions using malicious software to be secure and anonymous, changing the game for cybercriminals.
In September of 2013, Cryptolocker ransomware infected 250,000 personal computers, making it the first cryptographic malware spread by downloads from a compromised website and/or sent to victims in the form of two different phishing emails. The first email had a Zip archive attachment that claimed to be a customer complaint and targeted businesses, the second had a malicious link with a message regarding a problem clearing a check and targeted the general public. Once clicked, Cryptolocker scrambles and locks files on the computer and demands the owner make a payment in exchange for the key to unlock and decrypt the files.
Phishers start adopting HTTPS more and more often on their sites starting in 2017. When you click on a phishing link, the sites they lead to—that try to trick you into entering credentials, personal information, and so on—implement web encryption at least 24 percent of the time. The green padlock gives consumers a false sense of security. All it really tells us is that traffic between the server and the user's browser is encrypted and protected against interception.
A phishing campaign targeting organizations associated with the 2018 Winter Olympics is the first to use a PowerShell tool called Invoke-PSImage that allows attackers to hide malicious scripts in the pixels of otherwise benign-looking image files, and later execute them directly from memory. Hiding the script inside an image file not only helps it evade detection, executing it directly from memory is a fileless technique that in most cases won't get picked up by traditional antivirus solutions. This is another troubling example of how attacks are staying under the radar and evolving away from using malicious .exe's.
Conversation hijacking, a style of phishing email in which hackers insert themselves into email conversations between parties known to and trusted by one another, starts being used. Once in, hackers exploit that trust to trick users to launch an executable. Variations of this scheme are very difficult to detect and beat.
In 2018, researchers discover a new generation of phishing kit readily available on the Dark Web to cybercriminals. The kit enables anyone who downloads it to easily craft convincing emails and redirect sites that closely mimic branding elements of well-known firms and launch a phishing campaign that collects the personal and financial information of unsuspecting targets.
Gift card phishing campaigns that started in 2018 continued to evolve in 2019. The bad guys got much better at establishing a credible pretext (ie "incentives"), explicitly request confidentiality, they got very greedy -- up to $4000 per request in gift cards, and they are incentivizing the entire scheme by offering the recipient a bribe ("take one for yourself"), a ploy which, in a way, seeks to turn the target into a co-conspirator.
A devilishly ingenious vishing scam plays on your user’s familiarity with business voicemail, seeking to compromise online credentials without raising concerns. Many organizations have their PBX system integrated with email; miss a call and the recording pops into your Inbox. Nothing inappropriate with this scenario. But, that’s exactly what scammers are hoping you’ll think when your users receive their email pretending to be an internal voicemail notification. Using subjects such as Voice:Message, Voice Delivery Report, or PBX Message, these emails contain another email as the attachment (to avoid detection by email scanning security solutions) containing the actual phish.
Vendor email compromise emerged as a new type of attack in 2019, which is a variety of business email compromise (BEC) attack (or CEO Fraud). Cybercriminals gain access to email accounts at a company in their supply chain, then use the accounts to target that company’s customers. The attacks focus on organizations with global supply chains and attempt to trick a supplier’s customers into paying fake invoices. Vendor email compromise impacted at least 500 organizations globally in 2019.
According to Microsoft, some of the innovative ways they’ve seen phishing attacks evolve so far in 2020 include: Pointing email links to fake Google search results that point to attacker-controlled malware-laden websites, pointing email links to non-existent pages on an attacker-controlled website so that a custom 404 page is presented that can be used to mimic logon pages for legitimate sites, spoofing company-specific Office 365 sign-in pages to look so realistic that users would think it's the real thing.
In early 2020, phishing emails related to the C-19 pandemic start running rampant. Popular themes include stimulus checks, fake CDC warnings, working from home, Netflix scams, fines for coming out of quarantine and many more. Every country in the world has been affected by these types of attacks.
These advancements in the way attackers are thinking about phishing to facilitate endpoint infection or credential theft make it absolutely necessary for organizations to no longer consider their security solutions as their only line of defense. Users must become the last line of defense, playing a role in organizational security.