Overview

Phishing is a cybercrime in which targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.

Brief History

The term “phishing” might seem relatively new to many, but its roots trace back several decades. The evolution of phishing mirrors the broader history of the internet and cybercrime, reflecting the constant cat-and-mouse game between cybercriminals and those looking to stop them.

The 1980s: The Precursors

Before the term “phishing” was coined, there were already scams that bore a resemblance to modern phishing. In the 1980s, hackers would exploit the phone system in a practice known as “phreaking.” They would trick individuals into revealing personal information or codes that could be used to gain free long-distance calls.

The 1990s: Birth of the Term

The 1990s saw the rise of the internet and, with it, new opportunities for cybercrime. The term “phishing” is believed to have originated from the word “fishing,” as in “fishing for information.” The “ph” was likely influenced by “phreaking,” linking the two eras of cyber scams. The first recorded instance of phishing was associated with the hacking tool “AOHell” in 1994. This tool was designed to exploit AOL users by stealing their passwords. As AOL grew in popularity, so did these attacks, with hackers “fishing” for passwords and account details.

The 2000s: Rise in Sophistication

As the internet became more commercialized, the potential financial gains from phishing increased. Cybercriminals began targeting not just individuals but also banks, e-commerce sites, and other businesses. The techniques also evolved. Instead of just sending out mass emails, attackers began using more sophisticated methods, like website cloning, where they’d replicate a legitimate website to trick users into entering their credentials.

In 2003, a wave of phishing attacks targeted customers of banks like Wells Fargo, eBay, and PayPal. These attacks were notable for their increased sophistication, using tactics like URL obfuscation to hide their malicious intent.

The 2010s: Spear Phishing and Beyond

The 2010s saw the rise of targeted phishing attacks, known as spear phishing. Instead of sending out mass emails, cybercriminals would gather detailed information about their targets and craft personalized messages, often impersonating colleagues, friends, or trusted institutions. These attacks were harder to detect and had a higher success rate.

High-profile breaches, like those at Sony Pictures and the Democratic National Committee, were the result of spear-phishing campaigns. These incidents highlighted the potential consequences of phishing, not just in financial terms but also in terms of reputation and national security.

Types of Phishing

Email Phishing:

• • Description: This is the most widespread form of phishing. Attackers send fraudulent emails to a vast number of potential victims, hoping that even a small percentage will fall for the scam. These emails often appear to come from reputable sources, such as banks or popular online services.
  • Example: An email claiming to be from a bank, warning the recipient of suspicious activity on their account and urging them to click on a link to verify their details.

Spear Phishing:

• • Description: Unlike generic email phishing, spear phishing is highly targeted. Attackers gather detailed information about their victim to craft a personalized message, increasing the likelihood of the scam’s success.
  • Example: An email seemingly from a colleague, referencing a recent work event and attaching a “document” that, when opened, deploys malware.

Whaling:

• • Description: A subset of spear phishing, whaling specifically targets high-profile individuals within an organization, such as CEOs, CFOs, or other executives. The goal is often to deceive these individuals into authorizing high-value transfers of money.
  • Example: An email that appears to be from a company executive, directing the finance department to wire funds to a specified account.

Vishing (Voice Phishing):

• • Description: Instead of using email, vishing attacks are conducted over the phone. Attackers might pose as bank officials, tech support agents, or other authorities to extract sensitive information from the victim.
  • Example: A call from someone claiming to be from the IRS, stating that the victim owes back taxes and threatening legal action unless payment is made immediately.

Smishing (SMS Phishing):

1. • Description: Similar to vishing but conducted via SMS. These messages will often contain a sense of urgency to prompt immediate action.
   • Example: A text message alerting the recipient to a “problem” with their bank account, with a link to a fake banking site where they’re prompted to enter their login details.

Pharming:

1. • Description: Pharming redirects users from legitimate websites to fraudulent ones without their knowledge. This can be achieved by exploiting vulnerabilities in the DNS server or by infecting a user’s computer with malware.
   • Example: A user types in the web address for their bank, but due to DNS poisoning, they’re redirected to a fake version of the site where their credentials are stolen.

Clone Phishing:

1. • Description: In this method, attackers replicate a legitimate email that the victim has previously received, but modify it to include a malicious link or attachment.
   • Example: A user receives an email that appears to be a follow-up to a previous legitimate message, but this new email contains a malicious attachment.

Watering Hole Phishing:

1. • Description: Attackers identify websites frequently visited by their intended targets, then attempt to infect those sites with malware. The goal is to compromise the target’s computer when they visit the infected site.
   • Example: A cybercriminal targets employees of a specific company and infects a trade publication website known to be frequented by those employees.

 

Techniques Used in Phishing

Link Manipulation:

• • Description: This is one of the most common phishing techniques. Attackers design emails with deceptive links that appear legitimate but redirect users to malicious websites.
  • Example: An email contains a link that visually appears to be “www.bankofamerica.com“, but the actual hyperlink redirects to “www.bankofamerlca.com” (notice the ‘l’ instead of an ‘i’).

Website Forgery:

• • Description: Once a user clicks on a deceptive link, they might be taken to a website that looks identical to a legitimate one. These websites are designed to capture the user’s credentials or other sensitive information.
  • Example: A user lands on a page that looks exactly like their online banking portal but is actually a replica created by attackers.

Infected Attachments:

1. • Description: Emails or messages with malicious attachments that, when opened, can install malware on the user’s device.
   • Example: An email claiming to have an invoice attached, but when opened, it installs ransomware on the user’s computer.

Pop-Up Forms:

1. • Description: When visiting a website, a user might encounter a pop-up that prompts them to enter personal information. While many pop-ups are legitimate, phishers use fake ones to steal information.
   • Example: A user visits a news website and immediately receives a pop-up asking them to sign in with their email and password to continue reading.

IDN Homograph Attacks:

1. • Description: Attackers exploit the fact that many different characters look alike (homographs) to create deceptive URLs using characters from different scripts.
   • Example: Using the Cyrillic ‘а’ instead of the ASCII ‘a’ in a domain name, making it look legitimate at first glance.

Content Injection:

• • Description: Attackers insert malicious content into legitimate websites, changing the content to deceive users into thinking they’re interacting with the site’s genuine features.
  • Example: On a forum website, an attacker might change a download link to point to a malicious file instead of the intended one.

Hidden Text and Zero Font Attacks:

• • Description: Attackers hide text within an email, making it invisible to the recipient but visible to email filters. This can help malicious emails bypass security systems.
  • Example: An email contains white text on a white background, listing various banking terms, making it seem to filters like a legitimate banking email.

Social Engineering:

1. • Description: Beyond technical methods, phishers often rely on manipulating human psychology. By creating a sense of urgency, fear, or appealing to the user’s curiosity or greed, attackers can persuade users to take actions they normally wouldn’t.
   • Example: An email claiming the user has won a large sum of money and needs to click on a link to claim it.

Search Engine Phishing:

1. • Description: Attackers set up malicious websites that offer too-good-to-be-true deals or services, then pay for ads or optimize SEO to appear at the top of search results.
   • Example: A user searches for “cheap designer shoes” and clicks on a top result, which takes them to a fake e-commerce site.

1. Educate Your Customers:
   • Awareness Campaigns: Regularly inform customers about the dangers of phishing through emails, newsletters, or website banners.
   • Provide Examples: Share samples of phishing emails or messages that look similar to your official communications.
   • Online Resources: Create a dedicated section on your website with information about phishing, including how to recognize and report it.
2. Use Secure Communication:
   • SSL Certificates: Ensure your website uses SSL (Secure Socket Layer) encryption. This can be identified by “https://” in the URL.
   • Avoid Requesting Sensitive Information: Never ask customers to provide personal or financial information through email or SMS.
3. Implement Advanced Email Security:
   • SPF, DKIM, and DMARC: Use these protocols to validate and authenticate emails, making it harder for phishers to spoof your domain.
   • Email Filtering: Use advanced email filtering solutions to detect and block phishing emails.
4. Regularly Update and Patch Systems:
   • Stay Updated: Ensure all systems, software, and plugins are regularly updated to fix vulnerabilities that phishers might exploit.
   • Use Firewalls: Implement firewalls to block malicious traffic.
5. Multi-Factor Authentication (MFA):
   • Encourage or mandate the use of MFA for customer accounts. Even if phishers obtain login credentials, MFA can prevent unauthorized access.
6. Monitor Brand Impersonation:
   • Domain Monitoring: Use services that alert you if domains similar to yours are registered.
   • Report Fake Profiles: Monitor social media for fake profiles impersonating your brand and report them.
7. Provide a Reporting Mechanism:
   • Dedicated Channel: Offer an easy way for customers to report suspicious emails or messages they receive.
   • Quick Response: Have a team in place to quickly address reported phishing attempts and take necessary actions.
8. Regular Backups:
   • Encourage customers to regularly back up their data. If they fall victim to ransomware through phishing, they can restore their data without paying a ransom.
9. Use Anti-Phishing Tools:
   • Implement anti-phishing toolbars or browser extensions that can detect and block phishing websites.
10. Regularly Test and Train Employees:
    • Simulated Phishing Attacks: Periodically test your employees with fake phishing emails to ensure they can recognize and handle them appropriately.
    • Training: Offer regular training sessions to keep employees updated on the latest phishing tactics.
11. Clear Communication Channels:
    • Ensure customers know the official channels through which you’ll communicate with them. For instance, if you never contact customers via SMS, make sure they’re aware of this.
12. Stay Informed:
    • Stay updated on the latest phishing techniques and trends. Join cybersecurity forums, subscribe to threat intelligence feeds, and collaborate with industry peers.

Real Case Studies

Target (2013):

1. • Overview: One of the most significant data breaches in history, the Target attack compromised the credit and debit card information of 40 million customers and the personal details of an additional 70 million.
   • How it Happened: The initial point of entry was a phishing email sent to an HVAC company that did business with Target. Once the attackers gained access to the HVAC company’s credentials, they exploited weaknesses in Target’s network, eventually accessing the point-of-sale systems.
   • Aftermath: The breach cost Target over $200 million in settlements and related expenses. The company’s CIO and CEO both resigned in the wake of the incident.

Sony Pictures (2014):

1. • Overview: A massive breach at Sony Pictures Entertainment led to the theft and subsequent leak of vast amounts of data, including unreleased films, scripts, and sensitive internal emails.
   • How it Happened: The attackers used spear-phishing emails to gain initial access to Sony’s network. These emails appeared to come from trusted sources and contained malicious links or attachments.
   • Aftermath: The breach had significant financial and reputational consequences for Sony. It also sparked political tensions, as the U.S. government attributed the attack to North Korea.

Hillary Clinton’s Campaign (2016):

1. • Overview: A spear-phishing email sent to John Podesta, Hillary Clinton’s campaign chairman, led to the release of thousands of emails, creating a significant disruption during the 2016 U.S. presidential election.
   • How it Happened: Podesta received an email, seemingly from Google, claiming that someone had his password and urging him to change it immediately. The link in the email led to a fake login page where Podesta’s credentials were captured.
   • Aftermath: The leaked emails were widely publicized, leading to intense scrutiny and criticism of the Clinton campaign. The incident also heightened concerns about election security and foreign interference.

Ubiquiti Networks (2015):

1. • Overview: Ubiquiti Networks, a tech company, lost $46.7 million due to a combination of phishing and social engineering.
   • How it Happened: Attackers used spear-phishing emails to target the finance department, impersonating senior executives and requesting large wire transfers.
   • Aftermath: While Ubiquiti managed to recover some of the funds, they still faced a significant financial loss. The incident highlighted the dangers of BEC (Business Email Compromise) scams.

Google and Facebook (2013-2015):

1. • Overview: Over a period of two years, a Lithuanian man scammed two of the biggest tech companies, Google and Facebook, out of over $100 million combined.
   • How it Happened: The attacker posed as a Taiwanese hardware vendor (which both companies did business with) and sent phishing emails with fake invoices. Both companies paid these invoices before realizing the deception.
   • Aftermath: The scammer was eventually caught and extradited to the U.S., where he faced multiple charges. The incident showcased that even tech giants are not immune to sophisticated phishing schemes.