A Brief History of Phishing: Part I
Symantec is celebrating its 25-year anniversary and, during the course of the company’s history, we’ve seen the threat landscape evolve continuously. Many of the threats we routinely address today were practically unheard of in the early days. While much of the activity back then was centered around viruses and other forms of malicious code designed to wreak havoc on customers' personal computers, today’s landscape now includes new threats that can wreak havoc on customers’ personal lives, stealing their money and also their identity.
One of these emerging threats is phishing. Phishing is a threat whereby attackers use social engineering mechanisms, in a fairly automated way, to trick victims into divulging sensitive data that can later be used to assume a victim’s identity on an online site or in a financial transaction. Throughout 2006, Symantec observed over 300,000 unique phishing emails and blocked these messages in nearly three billion phishing instances. Phishing constitutes a little less than one percent of spam (and spam itself constitutes over half the email sent today).
The early days
While the use of social engineering has long been a component of an attacker’s arsenal, the first instances of phishing attacks as we know them today occurred in the mid 1990’s and targeted America Online (AOL). The attackers typically used either instant messages or email to trick users into divulging their AOL passwords. Victims would provide the attackers with this information, which the attackers would, in-turn, leverage to assume ownership of the victim’s AOL account. The account could then, for example, be used to send spam and the like.
Armed with these successes, attackers started moving towards higher-valued targets. By telling victims that they absolutely needed to “update their billing information” and to do so quickly to keep their accounts active, they realized that they could not only learn a victim’s password, but also get his or her credit card, bank account, and/or social security number.
Phishing goes financial
AOL took the phishing problem seriously and to their credit implemented numerous effective measures. While there are still phishing attacks on AOL, the numbers are relatively small. At the same time, as attackers realized their methods had potential, they began to extend them to other organizations.
This next wave of phishing brought the problem to the mainstream. Fortunately, phishers were still amateurish. The abundance of grammatical errors in their emails and Web sites were a dead giveaway that you were not dealing with a legitimate entity, and that you should be careful. Unfortunately, many victims still failed to see the warning signs and continued to give away passwords, credit card numbers and the like.
The prevalence of poorly designed phishing emails and Web sites was common enough that users were conditioned into looking for typos and other grammatical errors as a way to tell phishing sites apart from legitimate sites. However, in retrospect, this may have given many people a false sense of security.
Phishers go professional
While the presence of typos and the like are a telltale sign that you are dealing with a phisher, users started being conditioned into erroneously thinking that any site with impeccable grammar and spelling must be legitimate. Nothing could be further from the truth.
Many phishing campaigns today are professionally organized. Phishers usually work from ready-made kits that include sample Web pages, email, and most of the tools you need to mount a phishing attack. The Web pages are often pretty much exact replicas of pages on the sites that are being spoofed. As well, the corresponding phishing emails are not only well articulated, but also include a plethora of mechanisms designed to evade spam filters.
One thing that has become clear to us is that the profile of a typical phisher has changed. While the stereotypical phisher in the early days might have been the proverbial teenager in his mother’s basement perpetrating mischief at two o’clock in the morning, today’s phishers comprise fairly well organized business-oriented groups that are financially motivated. Like traditional corporations, they are actively looking for ways to maximize their profitability. Also, like traditional workers, today’s phishers seem to be active primarily on weekdays. (Symantec has observed over a 20 percent drop in the number of unique phishing messages sent out on weekends.)
Phishing no longer requires any technical expertise to carry out. Indeed, most parts of a phishing operation can be outsourced. As mentioned above, phishing kits are readily available. They can be purchased online and are often easily customizable. Through the underground markets, a phisher can also “rent” a compromised Web server on which to host his phishing pages. He can further outsource the process by renting another compromised machine from which phishing email can be sent out. The machine rentals will typically cost a few dollars, and if the phisher needs a list of email addresses of potential victims, those too can be purchased. Five dollars can typically buy you about thirty thousand such email addresses. Once a phisher obtains credit card numbers and other credentials from his victims, he need not worry about knowing how to monetize or cash them out appropriately. That information can be sold in the underground markets as well.
These underground markets have clearly been around for some time, as evidenced by the evolution of specific terminology used in conversations that take place among criminals trying to transact. There are even well defined conventions and protocols by which the transactions take place. Some parties in these underground channels have developed sterling reputations and you can be assured that you will be treated fairly when dealing with them – quite ironic since these are all criminals transacting with each other.
Check back on Monday for Part II, discussing the evolving threat of phishing and what to look for in the future.