Phishing Definition and History
Phishing Definition and History
Related articles in this section:
[clist id="1470243405619" post="35256"]
If you’re new to the concept of phishing, it’s a good idea to simply start at the beginning. Let’s take a look at its history, how it works, and some examples of common and phishing attacks, shall we?
See Infosec IQ in action
What is Phishing?
First of all, a definition: The word “phishing” (a play on the word “fishing”) is an attempt, originally via a message or email, to lure computer users to reveal sensitive personal information such as passwords, birthdates, credit cards, and social security numbers. To perpetrate this type of con, the communication pretends to be from an official representative of a website or another institution a person has likely done business with (e.g., PayPal, Amazon, UPS, Bank of America, etc.).
The communication may have an “iPad giveaway,” “fraud alert”, or other type of intriguing subject line. The email itself may contain the company’s logo and phone number, and otherwise look completely legitimate; another common tactic is to make it look like a personal email from a friend or relative who wants to share something with you.
However, once victims click on the provided link, instead of being directed to the real website, they are routed to a fake, where they unwittingly enter all their information as prompted. This information is captured by the thieves and used immediately, sold on the black market for nefarious purposes, or both. Many times the user’s computer is also infected, sending out phishing emails from their address books and continuing the rampage. (The malicious code can also take control of the infected computer’s web browser, a tactic known as pharming.)
As in traditional fishing, these scammers send out millions of “hooks” and only require a relative few to take the “bait” and click the link. According to the Government of Canada, 156 million phishing emails are sent worldwide, ultimately resulting in 80,000 clicks -- PER DAY. The resulting damage can be quite costly – the Ponemon Institute estimated the typical 10,000-employee company spends $3.7 million annually on the phishing problem, which shows no sign of slowing and, in fact, may be getting worse.
History of Phishing
The term and the concept of phishing can be traced back to the early 1990s via America Online, or AOL. A group of hackers and pirates that banded together and called themselves the warez community are considered the first “phishers.” In an early scam, they created an algorithm that allowed them to generate random credit card numbers, which they would then attempt to use to make phony AOL accounts. When they hit a match to a real card, they were able to create an account and spam others in AOL’s community, only needing a few to take the bait.
By 1995, AOL was able to stop the random credit card generators, but the warez group moved on to other methods, specifically pretending to be AOL employees and messaging people via AOL Messenger for their information. This quickly became such a problem that on January 2, 1996, the word “phishing” was first posted in a Usenet group dedicated to American Online. (AOL eventually included warnings on all its email and messaging software to alert users of potential phishing abuse.)
A Switch to Email
As people became more savvy about messenger scams, phishers switched to email communications, which were easy to create, cheap to send out, and made it nearly impossible for them to get caught.
And while most of these phishing messages were poorly constructed and full of grammatical errors at first, they quickly began to get more sophisticated. In September 2003, phishers began registering domains that were similar to popular companies, such as yahoo-billing.com and ebay-fulfillment.com. Then they launched an assault with new, more legitimate-looking emails, directing recipients to websites using these types of addresses to fool people into thinking they were real.
In October 2003, Paypal users were hit by the Mimail virus; when they clicked on a link contained in a phishing email, a popup window purporting to be from Paypal opened and instructed them to enter their user/password, which was immediately sent to the hackers.
In 2004, potential voters for presidential candidate John Kerry received an official-looking email, encouraging them to donate via an included link; it turned out to be a scam operating in both India and Texas that had no connection to the Kerry campaign.
Today, methods of phishing are as varied as, well, fish in the sea; fraudsters continue to come up with new ways to gain trust, avoid detection, and wreak havoc. One of many disturbing trends is the use of information gleaned through social media to make the communications as personal as possible, sometimes referred to as “spear-phishing” or “social engineering fraud.”
These types of ploys sometimes involve the long, slow, con, perhaps drawing someone in with conversation on Facebook, eventually asking for money or passwords. Or, they can use the information they learn publicly about the victim in order to be more convincing with their scam.
“Think about what people express publicly now vs. 15 years ago. It used to be very difficult to find information on people outside of their house,” Peter Cassady of the Anti-Phishing Working Group (APWG) was quoted as saying. “Now, people put so much information online and the bad guys can create semi-custom approaches and create these fantastically precise narratives.”
[cta id="1461775666362" post="35256"]
But another type of spear-phishing is even more sinister: when hackers focus on a particular company within a sector to steal data or compromise systems. Next, they target a handful of individuals within the organization, hoping the more personalized communication will prove successful. The technology company Symantec reports the energy sector is an increasingly popular target. Although a large-scale breach has yet to happen, they warn it is an increasing threat with potentially catastrophic consequences.
Phishing Examples
As we’ve mentioned, there are many different methods and subcategories of phishing, but there is one thing they all have in common: They want to fool you into giving up your personal information.
Of course, one of the main tools of the trade is still good old-fashioned email, often targeting the busy or stressed employees of large companies who may click before thinking. While many of these corporations may have safeguards in place (like malware detectors or spam filters), hackers have found creative ways to break in, in one case through the air conditioning.
Namely, the 2014 breach of the retail giant Target’s network, resulting in 110 million credit cards compromised, which was due to a phishing scam on an air conditioning company that maintained some of the retailer’s Pennsylvania outlets and had access to Target’s vendor database. The employee of Fazio Mechanical clicked on a malicious link and, unbeknownst to him, his computer was hacked, his credentials stolen, and from there they were able to access Target. Four months later, they struck.
And while Target was able to recover from the damage, other victims aren’t so lucky. In 2012, NBC News reported an unidentified British woman received a phishing email thought to be from her bank; she clicked on the link and entered her information as required. Over the next three days, thieves stole $1.6 million, her entire life savings.
Other Types of Phishing Attacks
Another popular method is called search engine phishing, where scammers target certain keywords and create web pages they hope show up in the search results. Visitors clicking on the link from Google may not realize it’s a phishing scam until it’s too late.
PC World cited a search engine phishing attack that targeted keywords related to good credit card rates and high interest bank accounts. Tempted with incredibly good offers, searchers then visited these professional-looking websites and felt confident enough to sign up. In the process, they were asked to link their external bank account, and their money was promptly stolen.
An even more fiendish breach is what is known as the “Man in the Middle” (MITM) attack, where they don’t need a phony website at all. Instead, the link allows the hacker to become a “middleman” between the legit site and the user, secretly siphoning the data as it passes through their proxy. It was first reported by The Washington Post in 2006, when Citibank business customers fell victim to the attack, and continues to be a problem for all types of businesses today because it can be almost invisible.
Vishing and Smishing
Two other important “ishings” we should mention are “vishing” and “smishing.” Vishing is short for voice phishing, which involves thieves actually calling a person on the telephone. Again, because of social media, a lot of information is public, which enables them to have more credibility.
The BBC reported about a vishing attack that duped a woman named Emma Watson into believing the phone call was from her bank. They called her landline number and, using her full name, said they were from the fraud department and they wanted to help her transfer money into a “safer” account.
"They were completely professional... they used all the language,” she told them.
These vishers can also spoof caller IDs and make it look like they are calling from a different number, adding yet another layer to their deception. With continuing advances in AI software that can completely mimic a human caller, the possibilities of future intrigue are certainly chilling.
Finally (at least for this article) there’s smishing or SMS phishing, which is sent as a text message to smart phones. McAfee noted some early attacks were disguised as a confirmation message for a phone service or other item that the user didn’t order, with a link to “cancel” the transaction. By clicking the link, the unsuspecting victim’s smartphone itself then becomes a bot in a larger phishing scam.
See Infosec IQ in action
Phishing, spear-phishing, pharming, vishing, smishing, and social engineering fraud are just a few of the latest tools hackers may use to try to get your information. In order to not fall victim, always think before you click that link.