Phishing – A Brief History
Phishing is one of the most common attack vectors used by hackers and social engineers to steal from victims, usually for financial gain but in today’s world, its also used to steal identities. In my previous article, Phishing and Identity Theft, I compared phishing to the actual art of fishing. In my other article, Phishing Versus Spoofing, I gave short examples of phishing and spoofing attacks. However, I’ve never explained the origins of phishing and the evolution to what it is now.
Phishing has been around since the earlier days of the internet, from the late 90’s, when America Online began their boom. The idea has not changed much since its inception, send out bait to fool victims into giving away their credentials. With the internet being new, many users were naive and a well worded fake e-mail would be enough to have a user give away their password. It wasn’t long before the news media caught on and warned users not to give away their credentials, no matter how official the e-mail looked. To go back to my fishing analogy, it was time for the fishermen to throw away their sticks with ropes and upgrade to fishing rods with spinning reels.
Attack Methods – Websites
The brief e-mails that addressed masses was no longer the most effective way to trick a victim into giving up their credentials. It was time for the hackers and social engineers to evolve their attack methods. To this day, these same attacks are currently being used for phishing.
A domain name similar to a legitimate site is bought, and molded to look exactly like the real thing. The phisher then sends out messages, either by e-mail, instant messaging, Facebook messages, text messages, and so forth to fool a victim into clicking a link to the fake site. The unsuspecting victim logs in and their credentials logged.
An evolution of the ‘Fake Website’ attack, when people became more aware of fake website attempts, the attack was evolved. A link was still sent, however, instead of linking to a fake website, it would link to the actual website. When the real website loads, a pop-up appears asking for the user’s credentials. The victim, seeing the legitimate site in the background would think the pop-up was from a legitimate source and enter their information. In reality, the pop-up would be the hacker’s tool to phish credentials.
Fake Website with Validation
Another evolution of the ‘Fake Website’ attack was to have the fake website verify the victim’s credentials with the real site. A victim would enter their credentials, the fake website would send the credentials to the real website and automatically validate whether the username and password is correct or not; saving the hacker’s time by having autovalidation.
Attack Methods – Social Networks
Social networks have expanded the attack vectors for hackers and social engineers. Going back to the fisherman analogy, the fishermen have gone from fishing in lakes and ponds to oceans and rivers.
Facebook is one of the most popular social networking sites to arise. They’ve expanded what users can do on Facebook. The allowance of applications, and a new internal messaging system have opened up the floodgates. A victim could be surfing on Facebook when they receive a message from someone, linking to a site, usually shortened down to something simple such as ‘Vote for me!’ The victim clicks the link and lands on a login page that looks exactly like Facebook’s login page. The victim, thinking that this was a Facebook application for voting enters their credentials and gives away their username and password.
The Friend Search
Facebook and many other social networks offer a ‘Search for your friend’ option. The idea behind the system is for the social network to search your messaging contacts and check if their e-mails are in the system. A hacker could use the ‘Fake Pop-up’ method and have a ‘Find your friend on Facebook!’ pop-up when a victim clicks a link to Facebook. The pop-up asks for the victim’s primary e-mail and password, and when the victim fills in the form, they’ve given away their e-mail account.
A recent addition to the internet world. Recently, hackers used Twitter and tweeted links to a fake version of the Twitter site. They used methods to shorten the real URL. On their tweet, they would put a shortened link with a comment to have curious victims click the link. When the victim clicked the link a fake Twitter site loaded. The victim puts in their credentials and gives away their password.
Phishing Attack Results
Most people assume that the most damaging attacks are usually the attacks where a victim gives away their bank account or credit card information. By all means, if a phishing attack manages to capture bank account and credit card information, its definitely a success but to a phisher, even small victories count.
Trusteer, a security firm found that 73% of of users on the web use their bank password for everything. The chances that a social network site’s password and the victim’s bank account password are the same is tremendous. Bank accounts, credit accounts, social network accounts, insurance accounts, and whatever else a phisher can access can also lead to them gathering enough information to steal a victim’s identity!
Phishing attacks are constantly evolving but the core method is still the same. I’ll revert back to my fisherman analogy. Fishermen can use the most high tech equipment such as spinning reels, laser sights, motion detectors, sonar, or they could use the most simplest technologies such as rods with strings, but the end goal is the same, send out bait and earn back a catch. Phishing is the exact same idea, they can use the most advanced attacks such as fake websites, and fake pop-ups or they use the most simplest method such as e-mails, but the end goal is to send out bait and hook in victims. The big difference being the catch.
To a fisher, the big catch is the fish.
To a phisher, the big catch is you.
This post is part of the series: Social Engineering Tactics
- How Hackers Use Social Engineering to Steal Your Information
- Social Engineering: Pretexting
- Phishing Attacks and Phishing Techniques