First time I indirectly encountered a phishing attempt was almost twenty years ago. Back then, I had a night-job and slept for several hours in the morning before going to studies after the midday. Nokia 3310 was just released, and I developed a habit of turning it off during my rest hours. Around 11 AM, I heard a strained knock on the door only to find my worried mother outside. The thing that she told me was both hilarious and troublesome.
Apparently, she received a phone call from a “police officer” stating that I got into a car accident. To put it short, she needs to provide a moderate amount of money to bail me out. Naturally, she tried calling me first, and the fact that my phone was off worried her. However, I kept a tight schedule and by 11 AM was usually asleep, so she figured to drop by before making any decisions. We both laughed, but it got me thinking.
First of all, I had a driving license and a car registered under my name, and this information was not hard to come by. Second, they called when my mobile phone was off and knew this would improve the chances of receiving the payment. All this made the call pretty convincing. These scams are called “Vishing” (“voice” + “phishing”) and are, sadly, still alive and well.
Moreover, the rapid development of new technologies and the world wide web opened new ways to improve old tactics. Phishing mostly relies on the human error factor, and cyber security professionals stress out education as the first line of defense against it. So let’s take a closer look at the evolution of Phishing and the current state of affairs.
The definition of Phishing
Phishing is an attempt to deceive the victim to gain access to confidential and private information and/or distribute infected files. Right now the term is almost synonymous to email phishing, but that would be a narrow understanding of the practice. As well as the monetary gain would be a simplification of the possible goals. Later in the article, I will elaborate on recent examples when Phishing was used for political purposes.
The first phishing attack
In 1994–1995 AOL (America Online) were having a good time. They were one of the largest internet access providers and enjoyed a steadily growing user base. However, online security was more of a governmental thing and private businesses seldom invested in cyber security. A mistake that AOL learned the hard way by becoming the first victim of a phishing attack.
Sometime around 1994, a hacker called “Da Chronic” developed a windows application and named it “AOHell.” Among other features, it had the first-ever phishing toolkit “CC/PW Fisher” that exploited AOL’s direct messaging system. Furthermore, it was automated. A hacker was able to obtain personal credentials by sending a direct message to unsuspecting users:
“Hi, this is AOL customer service. We need to verify your account for security. Please, can you provide us with your username and password?”
Unsuspecting victims that had never encountered anything like this before willingly gave out their personal information and became the first to fall to the first phishing attack.
The evolution of phishing attacks
The success of AOHell was a significant moment in the history of Phishing, but it’s safe to assume that it would’ve emerged as a major hacking practice one way or another. Mainly because it doesn’t require in-depth networking knowledge or even basic programming skills. It relies on human error and the lack of online security awareness, manipulating human psychology just as much as technological tools.
For example, Austrian aerospace parts manufacturer FACC suffered more than 40 million euros loss because one unfortunate employee received an email from…his CEO. An email asked to transfer a tremendous amount of money to an unknown bank account what was called as a part of “acquisition project.” At this stage, there was no hacking (in the ordinary sense of the word) involved. Hackers were lucky enough to guess the CEO’s email, then spoofed it, forged a convincing letter and watched the money flow.
Proper education could’ve prevented this from happening. If the employee in question would’ve known what email spoofing is, how to carefully check the email for phishing signs, and went through cyber security training, — there’s a high chance he would’ve reacted differently.
Let’s recall the AOHell case, both of them have one thing in common: a hacker pretends to be someone else to get what he or she wants. This part barely changed in more than two decades. What has evolved is the technology that can be used for successful phishing attacks.
Email spoofing software, proxy servers that enable emailing en masse, and the high content quality of emails that can be generated using simple algorithms, — the technological part evolved. However, proper cyber security training and awareness has not, and already, companies are alarming about a lack of experts in this field.
Another thing that must be addressed is the rise of social networks. To create a convincing email, you must have at least some information that would force the receiver to take action. Before, a usual phishing email started with “Dear customer” and is one of the indicators to distinguish the real email from a fake one. Now, it’s becoming common for phishing emails to include name and surname, home address, even a password that was used for one service or another.
This brings to the last point — data-leaks. Both Facebook and Google experienced data leaks in the span of one year, and these are companies that have the capacity to invest in cyber security. Smaller services like MySpace or ArmorGames have also experienced leaks, and all this information went straight to Dark Web. Right now there’s a large package of 2.2 billion leaked credential for sale, and it’s a safe guess that phishers bought it to improve the quality of their emails.
Clone Phishing and cloned websites
According to APWG (Anti Phishing Working Group) quarterly report of 2019 Q1, there’s an increase of cloned phishing websites. Asking people for personal information via email or chat just doesn’t do anymore as more and more people are becoming aware of such scams. However, directing the victim to a cloned website and asking them to input personal information is a more efficient way to do it.
This was the case with Phish Phry attack. The attackers used a cloned phishing email, covert redirect, and a cloned website. They successfully forged a fake email, which resembled a real email the banks in question used to contact their customers. Then they modified the links inside to redirect victims to a cloned website, which as well resembled an official bank website. From there, any information input in that website went to the wrong hands, and affected accounts were dried out of money.
Furthermore, cloned websites are tough to trace because the average lifetime of such a website barely lasts a day. Once enough information is gathered, these websites are taken down and tracing them to the original creator becomes complicated. One way to spot such sites is to check whether they begin with HTTP or HTTPS, the second being an indicator of legitimacy. Sadly, due to weak regulations, even fake and cloned websites can receive an SSL (Secure Sockets Layer) certificate and pose as a secure domain.
Phishing for political goals
During the 2016 US presidential campaign John Podesta, a politician that supported Hillary Clinton, was targeted by Spear Phishing. Spear Phishing means that hackers are targeting specific individuals, instead of a vast population of netizens. He received a spoofed email that resembled Google security alert and had shortened links forged using popular Bitly services. Then he was taken to a cloned website and input personal Gmail credentials, resulting in a leak of confidential emails.
In 2015 in Ukraine, hackers were able to compromise information systems of three energy distribution companies and temporarily disrupt electricity supply to their consumers. Once again, Spear Phishing was deployed to target specific employees hoping they will open an attachment that contained BlackEnergy malware. Unlike other phishing attacks, the end-game was not to gain confidential information, but to infect the devices with a malware that later caused tremendous damage.
The fact that Phishing can be deployed to steal private credentials or to spread a virus is worrying and points to a lack of proper security practices. Cyber security companies are continuously adding cloned websites to their blacklists, and third parties are informing their customer if a data-leak has occurred. But as long as netizens of the world wide web keep clicking carelessly on shortened links and opening attachments, the hackers will find a way to exploit that.
It’s important to remember that every phishing attempt expects a fast reaction, so when you are tempted online into doing something without hesitation, do the exact opposite: calmly double check the information in front of you, consult an expert when in doubt, and from time to time read what dangers lie online. Understanding contemporary phishing techniques will help you distinguish real email from a fake one, a legit hyperlink from a covert redirect, and a cloned website from the official one.