All the phacts about phishing

Davey Winder

Wikipedia will tell you that phishing is an "attempt to acquire sensitive information... often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.” This is wrong in one regard: phishing is not often, but always, malicious. Indeed, it has become the primary vector for malware attacks with the payload delivered either as an attachment to the email itself or via a link embedded within it. 

But where did it all start?

phishing1.jpgPhishing has become so commonplace that the term itself is now understood by pretty much everyone – not just IT security nerds. That wasn't always the case, and you have to look back 20 years to a posting on the old Usenet newsgroup to find the first recorded usage I am aware of. It dealt with a scam whereby hackers using America Online (AOL) would leverage AOL instant messenger (AIM), and email services to pose as AOL staff. 

Confidence trick

The so-called staff members would fish for account credentials by asking for billing information verification on some pretence of security checking or other. Plenty of people fell for it, and why wouldn't they? This kind of spoofing wasn't yet commonplace. AOL responded by using their Terms of Service agreements to close down the accounts of abusers; who, in turn, quickly took to the wider Internet to set up AIM accounts that couldn't be so easily switched off.

Phishing was born, and AOL started issuing warnings against revealing sensitive information via AIM or email communications – the 'ph' being was used in homage to the 'phone phreakers' who had achieved cult status amongst hackers of old. While such straightforward scams continued, and continue to this day, phishing as a threat genre didn't take long to evolve. 

By 2004 the more serious phishers had started to give up on simply scamming information through the email conversation itself, and instead had turned to using email just to introduce the scam. By registering domains that were close enough to well known sites – such as eBay or PayPal – so as to hint at legitimacy at first glance, they could use a well-crafted email to point potential victims in the direction of spoofed sites. 

Raging success

The trick was so successful that misspelled and obfuscated URLs, along with cleverly constructed subdomains, remain in widespread use to this day. The target sites were often carbon copies of the real thing – literally a cut and paste of the relevant code – but designed purely for credential capture as the user tried and failed to login and update their credit card details as requested. Some estimates suggest nearly a billion US dollars were stolen between 2004 and 2005 in this way.

phishing3.jpgAnd that success has continued. According to the latest Verizon Data Breach research, 30% of phishing emails were opened in 2015, that's up from 23% in 2014. The number of people activating the payload through link clicking or attachment opening was also up from 11% to 13%. Given that phishing adopts a scattergun approach to threat distribution, this should be of considerable concern in terms of actual numbers reached. 

Phishing continues to be an important attack vector for the bad guys, which is why it keeps developing – the recent arrival on the scene of whale phishing being a case in point. Luckily, MSPs can help mitigate the phishing threat to their customers by following some pretty straightforward tips.


Five top tips on defending against phishing attacks
  1. Education, education, education
    Although awareness of the phishing threat increases year-on-year, ongoing education of staff is key in mitigating the threat. Simply subscribing to security bulletins and keeping alert to emerging phishing campaigns in the wild can reduce exposure and, in turn, risk. By following this same advice, MSPs themselves can pass the knowledge on to their customers.
  2. Patch, patch, and patch
    Malware payloads posing as email document attachments will exploit commonly known vulnerabilities. Phishing and zero-days are not bedfellows. As an MSP ensure your customers are up to date with Operating System and application security patches to reduce the chance of compromise.
  3. Know your rights
    Equally, many of the phishing payloads require some form of administrative privilege on the target machine or network to work. By removing admin privileges where not absolutely essential to workflow, organisations can prevent the majority of email-based malware threats from executing successfully.
  4. Learn to read URLs properly
    Always pay attention to where a link is actually going, and never trust it to be where you think. That's sound advice at any time, but more so when related to a link that has arrived out of the blue in an unsolicited email. Hovering over links is a simple way to expose the destination, as is always reading them from right to left as the last bit is the true destination. Finally, employ web filtering to help block known malicious domains.
  5. Leverage the power of layers
    A multi-layered approach to security is the best defence against many threats, including phishing. Combining single sign-on with strong authentication to reduce the need to enter passwords makes spotting the phishing mails asking for those login credentials much easier.


Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide