Wikipedia will tell you that phishing is an "attempt to acquire sensitive information... often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.” This is wrong in one regard: phishing is not often, but always, malicious. Indeed, it has become the primary vector for malware attacks with the payload delivered either as an attachment to the email itself or via a link embedded within it.
But where did it all start?
Phishing has become so commonplace that the term itself is now understood by pretty much everyone – not just IT security nerds. That wasn't always the case, and you have to look back 20 years to a posting on the old alt.online-service.america-online Usenet newsgroup to find the first recorded usage I am aware of. It dealt with a scam whereby hackers using America Online (AOL) would leverage AOL instant messenger (AIM), and email services to pose as AOL staff.
The so-called staff members would fish for account credentials by asking for billing information verification on some pretence of security checking or other. Plenty of people fell for it, and why wouldn't they? This kind of spoofing wasn't yet commonplace. AOL responded by using their Terms of Service agreements to close down the accounts of abusers; who, in turn, quickly took to the wider Internet to set up AIM accounts that couldn't be so easily switched off.
Phishing was born, and AOL started issuing warnings against revealing sensitive information via AIM or email communications – the 'ph' being was used in homage to the 'phone phreakers' who had achieved cult status amongst hackers of old. While such straightforward scams continued, and continue to this day, phishing as a threat genre didn't take long to evolve.
By 2004 the more serious phishers had started to give up on simply scamming information through the email conversation itself, and instead had turned to using email just to introduce the scam. By registering domains that were close enough to well known sites – such as eBay or PayPal – so as to hint at legitimacy at first glance, they could use a well-crafted email to point potential victims in the direction of spoofed sites.
The trick was so successful that misspelled and obfuscated URLs, along with cleverly constructed subdomains, remain in widespread use to this day. The target sites were often carbon copies of the real thing – literally a cut and paste of the relevant code – but designed purely for credential capture as the user tried and failed to login and update their credit card details as requested. Some estimates suggest nearly a billion US dollars were stolen between 2004 and 2005 in this way.
And that success has continued. According to the latest Verizon Data Breach research, 30% of phishing emails were opened in 2015, that's up from 23% in 2014. The number of people activating the payload through link clicking or attachment opening was also up from 11% to 13%. Given that phishing adopts a scattergun approach to threat distribution, this should be of considerable concern in terms of actual numbers reached.
Phishing continues to be an important attack vector for the bad guys, which is why it keeps developing – the recent arrival on the scene of whale phishing being a case in point. Luckily, MSPs can help mitigate the phishing threat to their customers by following some pretty straightforward tips.
|Five top tips on defending against phishing attacks|
Find out more about how to defend against this type of attack and what tools you need to protect your networks by downloading our free Cyber Threat Guide. http://pages.logicnow.com/Cyber-Threat-Guide_Gen-LP.html