A Brief History of Phishing: Part I

SECURITY TOPICS

A Brief History of Phishing

Phishing is a threat whereby attackers use social engineering mechanisms, in a fairly automated way, to trick victims into divulging sensitive data that can later be used to assume a victim’s identity on an online site or in a financial transaction.

Phishing: A Look Back

In 2007, Symantec celebrated its 25-year anniversary as a global leader in protecting and securing its customers from the ever-evolving threats that continue today. As a matter of fact, many of the threats Symantec routinely address today were practically unheard of in the early days.

While much of the activity back then was centered around viruses and other forms of malicious code designed to wreak havoc on customers' personal computers, today’s landscape now includes new threats that can wreak havoc on customers’ personal lives, stealing their money and also their identity. One of these threats is phishing.

While the use of social engineering has long been a component of an attacker’s arsenal, the first instances of phishing attacks as we know them today occurred in the mid 1990’s and targeted America Online (AOL). The attackers typically used either instant messages or email to trick users into divulging their AOL passwords. Victims would provide the attackers with this information, which the attackers would, in-turn, and leverage to assume ownership of the victim’s AOL account. The account could then, for example, be used to send spam and the like.

Phishing Schemes Expand

Phishing Goes Financial

AOL took the phishing problem seriously and to their credit implemented numerous effective measures. While there are still phishing attacks on AOL, the numbers are relatively small. At the same time, as attackers realized their methods had potential, they began to extend them to other organizations.

This next wave of phishing brought the problem to the mainstream. Fortunately, phishers were still amateurish. The abundance of grammatical errors in their emails and Web sites were a dead giveaway that you were not dealing with a legitimate entity, and that you should be careful.

Unfortunately, many victims still failed to see the warning signs and continued to give away passwords, credit card numbers and the like. The prevalence of poorly designed phishing emails and Web sites was common enough that users were conditioned into looking for typos and other grammatical errors as a way to tell phishing sites apart from legitimate sites. However, in retrospect, this may have given many people a false sense of security.

Phishers Go Professional

While the presence of typos and the like are a telltale sign that you are dealing with a phisher, users started being conditioned into erroneously thinking that any site with impeccable grammar and spelling must be legitimate. Nothing could be further from the truth.

Many phishing campaigns today are professionally organized. Phishers usually work from ready-made kits that include sample Web pages, email, and most of the tools you need to mount a phishing attack.

The Web pages are often pretty much exact replicas of pages on the sites that are being spoofed. As well, the corresponding phishing emails are not only well articulated, but also include a plethora of mechanisms designed to evade spam filters.

One thing that has become clear to us is that the profile of a typical phisher has changed. While the stereotypical phisher in the early days might have been the proverbial teenager in his mother’s basement perpetrating mischief at two o’clock in the morning, today’s phishers comprise fairly well organized business-oriented groups that are financially motivated.

Who Are They?

Like traditional corporations, they are actively looking for ways to maximize their profitability. Also, like traditional workers, today’s phishers seem to be active primarily on weekdays. (Symantec has observed over a 20 percent drop in the number of unique phishing messages sent out on weekends.) Phishing no longer requires any technical expertise to carry out. Indeed, most parts of a phishing operation can be outsourced.

Through the underground markets, a phisher can also “rent” a compromised Web server on which to host his phishing pages. He can further outsource the process by renting another compromised machine from which phishing email can be sent out. The machine rentals will typically cost a few dollars, and if the phisher needs a list of email addresses of potential victims, those too can be purchased. Five dollars can typically buy you about thirty thousand such email addresses.

How They Do It

Once a phisher obtains credit card numbers and other credentials from his victims, he need not worry about knowing how to monetize or cash them out appropriately. That information can be sold in the underground markets as well.

These underground markets have clearly been around for some time, as evidenced by the evolution of specific terminology used in conversations that take place among criminals trying to transact. There are even well defined conventions and protocols by which the transactions take place. Some parties in these underground channels have developed sterling reputations and you can be assured that you will be treated fairly when dealing with them – quite ironic since these are all criminals transacting with each other.