The slow but steady evolution of phishing attacks

Alexandre Esser

Alexandre Esser

Phishing

From the early days of phishing to the present, almost 30 years have passed, with a constant evolution of the techniques used by cybercriminals.

These fraudsters have been active for much longer than the emergence of the first phishing emails: from the telegraph in the 19th century through the telephone and the Minitel to the Internet today, new practices have always been targeted.

Phishing is primarily an attack vector. Just like an employee deciding to sabotage a system (internal threat), phishing is an external threat where email is used as an attack vector. A large part of today's cyberattacks (botnet, ransomware, malware, etc.) use social engineering and phishing to achieve their ends.

The Origins of Phishing

It is common to trace the emergence of phishing back to the 1990s, specifically in 1995, when a 17-year-old developed AOHell, a program that could steal passwords from AOL users.

It was also during this time that the portmanteau "phishing" was born, merging "phreaker" (telephone hacker) with "fishing." In French, this term became "hameçonnage" in 2004, although the Anglicism "phishing" is still widely used today.

AOHell

In 1994, like many others, AOL did not warn its users about the dangers of phishing.

AOHell's attack method was simple and effective:

  1. Obtain an anonymous AOL account by creating it with a fake bank account or use an account stolen in a previous attack.
  2. Create a pseudonym on the new account.
  3. Write the "phish" message explaining to users the need to verify their passwords or billing information. For example: "Hello, I am a chat room moderator. Due to a problem with our records, we need you to respond to this message with your AOL password to avoid being disconnected."
  4. Locate a chat room for new AOL internet users and open the list of participants online.
  5. Send a private message containing the phish to each user.

To understand this, one must consider the context of that time: the AOL application allowed connection to chat rooms, some of which were dedicated to newcomers on AOL.

By newcomers, we mean internet novices. It's highly likely these individuals were experiencing the internet for the first time in their lives. Their lack of experience with the internet's dangers made them very vulnerable targets for attackers.

It wasn't until 1995 that AOL took the necessary measures to protect its users, and 1997 before the first public messages on AOL media were broadcast using the now-familiar term "phishing."

Phishing in the 2000s

Fast forward to the early 2000s, AOL is losing the race, Yahoo and MSN are gaining momentum, and Google is beginning to take market share from Lycos and Altavista. Phishing is now a term known to some regular internet users, while just over 10% of the French population has home internet access.

In these years, phishing was not yet the greatest concern in terms of cyberattacks. People were more afraid of the Y2K bug, the ILOVEYOU virus, or the frequent Denial of Service (DoS) attacks that affected internet giants like Yahoo, CNN, eBay, and Amazon.

Yet, the dawn of this new millennium saw the popularization of tools—open-source—for mass mailing, meaning the mass sending of phishing emails.

Email quickly became commonplace, rapidly replacing AOL chat rooms and newsgroups. Email is everywhere, its use increasing by 50% each year between 2000 and 2005. This new means of communication is confidential and anonymous (you don't know who's behind the sender). In essence, email has become the perfect medium for the development of mass phishing.

The Case of E-gold

One of the first companies to pay a heavy price for a phishing attack was E-gold. This startup, founded in the dot-com bubble of the 2000s, allowed people to buy a global alternative currency convertible into gold and use this currency on third-party sites.

e-gold

In 2001, E-gold was handling $2 billion in transactions annually and saw its user base growing rapidly. 📈

The attack targeted E-gold users, and spoofing was the new trend. This technique fooled a user into believing that e-goId.com was the same site as e-gold.com... where the capital "I" had replaced the lowercase "l" in "gold." This domain name had nothing to do with the E-gold company, and for a human, it was very hard to detect the deceit.

e-gold message

In the same way as for the fake website, hackers were able to send emails from support@e-goid.com, making the attack even more believable.

E-gold lost millions in this debacle and couldn't stem the tide of fake e-gold accounts, allowing hackers to hide their loot in virtual currency. These incidents eventually led to E-gold's downfall a few years later.

The Evolution of Phishing 2003-2010

As internet users became increasingly aware of the dangers associated with phishing and more informed about the signs to watch for to protect themselves, cybercriminals, on the other hand, developed increasingly sophisticated techniques. These techniques notably include URL obfuscation to create emails and websites that appear legitimate and exploiting browser vulnerabilities to allow the downloading and execution of malicious code from a hostile site.

Let's take another leap back to 2003, in the midst of the "browser war," when Google Chrome and Firefox did not yet exist, and Internet Explorer had just stolen almost the entire market share from its competitor, Netscape.

Microsoft's browser was then the worst enemy of web developers but also... of IT security managers who knew full well that this browser was very vulnerable, much to the delight of cybercriminals.

Among the most used techniques of that period, some are still relevant today, although increasingly difficult to implement.

URL Obfuscation

URL obfuscation misleads victims by making them believe that the link or website displayed in their browser is that of a trusted site. Although this attack is simple to implement, it is terribly effective.

The underlying techniques that involve URL obfuscation include HTML redirects, the use of images in emails, the use of character sets other than UTF8, or even the registration of very similar domain names as seen above with the e-gold case.

Internet Explorer Vulnerabilities

Internet Explorer without its security flaws is not Internet Explorer. More than 1000 flaws have been identified over the past 20 years, more than half of which are considered critical.

IE vulns Number of known vulnerabilities in Internet Explorer from 2004 to 2020

These flaws have allowed cybercriminals to use phishing techniques such as URL obfuscation via pop-ups, or the exploitation of flaws allowing an attacker to use the ActiveX control DHTMLEdit by loading it from a malicious website to modify the content of another legitimate browser window and replace the content of the legitimate window with malicious content.

Today, this type of attack has become much more difficult, if not impossible, thanks to modern web browsers that are much more secure than before.

Abuse of Internationalized Domain Names

This type of attack, also known as a homographic attack, was trendy because it was almost undetectable to the victim: it involves using the similarity of characters in different written languages (Latin, Cyrillic, etc.).

This allows for the registration of domain names like "аmazon.com" instead of "amazon.com." The first "а" is actually a Cyrillic "a," the difference being invisible to a human.

ℹ️ Today, and since 2003, the use of "punycode" syntax allows the use of internationalized domain names in a way that's transparent to the user. Characters not from the Latin alphabet are automatically replaced by their equivalent in punycode, making this homographic attack more easily identifiable, provided one has the right reflex to carefully check the URL displayed by the browser.

Amazon homoglyph amazon.com with a Cyrillic “a” in Punycode

The Democratization of Phishing Kits

Phishing kits are sets containing all the paraphernalia needed to trap a victim: fake web pages, pretext email templates, payment gateways, etc.

Phishing Kit BoA Phishing kit containing a fake registration form for Bank of America

These kits became democratized in the first part of the 2000s as cybercriminal groups organized themselves to become more efficient.

Cybercrime began to bring in big money and was considered by the FBI in 2004 as a full-fledged branch of organized crime. It was also around this same time that the general public discovered the existence of cyber-gangs such as the Russian RBN, Evil Corp, or Fancy Bear.

The Advent of Social Networks

Finally, the 2000s marked the arrival of major social media players: MySpace, Facebook, YouTube, Twitter, etc.

This revolution in usage gave hackers a significant boost: gathering victims' personal information becomes a piece of cake, personal information is now public and accessible to all. Users are barely aware of the danger, and they don't hesitate to share their vacation photos, reveal who they vote for, their health problems, or even their love troubles.

This information is crucial for cybercriminals who will take advantage of these new online media to improve their attack scenarios and even better manipulate their victims into divulging their confidential data.

On top of specific social network phishing, social networks have also facilitated the development of "spear phishing" attacks. This type of phishing attack is sent to a selected target (an individual or organization) with a highly personalized attack scenario and typically a larger reward.

The Evolution of Phishing from 2011-2020

Mass attacks are becoming increasingly ineffective, giving way to spear phishing attacks, or even "whaling" (whale phishing). As the name suggests, a whaling attack is nothing more or less than a spear phishing attack where the victim is a big fish — meaning a VIP target (executive, decision-maker, etc.). The potential gain in the event of a successful attack becomes very significant.

This type of attack can lead to serious consequences for the victimized companies:

  • Facebook and Google were victims of a whaling attack between 2013 and 2015, with damages estimated at around 100 million dollars. The Lithuanian cybercriminal accomplished this feat by sending each company a series of fake invoices while posing as a major supplier.
  • In 2016, a Snapchat employee disclosed all the company employees' salaries to a cybercriminal. The employee had responded to an email that appeared to come from the CEO and had responded promptly. HR and payroll teams are frequently the target of whaling attacks because they have access to sensitive data.

The Development of Anti-Phishing Solutions

Although some anti-phishing solutions were born in the early 2000s, the majority of solutions developed in the following decade. Extensive research has been conducted in the field of phishing prevention and detection. The solutions range from software detection of phishing attacks to user training, awareness, and internal communication.

Software and hardware solutions have particularly evolved over the past 10 years:

  1. Detection of fake browser extensions
  2. Improved authentication methods thanks to MFA (Multi-Factor Authentication)
  3. Active email filtering by certain providers
  4. Real-time monitoring and detection of hostile websites by some browsers
  5. Automatic disabling of malicious scripts (Java, etc.)
  6. Adoption of new development methods (Privacy/Security by Design)
  7. etc.

Current anti-phishing solutions provide an additional layer of defense against phishing attacks. However, such devices are often expensive and sometimes ineffective depending on the diversity of phishing attacks.

In some respects, the main phishing methods have remained the same. The goal is always the same: to intrude through malware or to access a user's credentials. Even today, this is most often accomplished through corrupted links or malicious attachments.

What has primarily changed is the presentation. While there are still emails with obviously fake email addresses and riddled with spelling mistakes, a significant number of phishing emails have become difficult to spot.

For example, cybercriminals have recently launched "conversation hijacking" attacks, using previously compromised email accounts to respond to ongoing discussion threads. The attack then involves unearthing an old email by responding with malicious links or attachments, easily catching recipients off guard.

Some lead to websites offering identification procedures that are identical to the site they imitate, as in our article on bypassing multi-factor authentication.

We then understand that even with a keen eye, it is very difficult to spot sophisticated attacks, and real-life training and employee training against phishing become key to detecting the most refined attacks.

Phishing and Smartphones

In the span of a year, mobile phishing has increased by nearly 40%*. According to the same report, this represents a loss of 35 million dollars for a company with 10,000 mobile phones.

Cybercriminals are now using instant messaging applications like WhatsApp, Messenger, Instagram, or even SMS as phishing methods (smishing). These attacks are still too often downplayed or overlooked by cybersecurity professionals, yet they can endanger their organizations just as much as email attacks.

Among these attacks, the main risks are related to:

  • Mobile Applications: which lack security control, the friction during installation is almost non-existent, and many users don’t pay attention to the permissions they grant these applications.
  • Thefts: unlike computers where security policies require disk encryption or strong authentication, phones are sometimes poorly secured with only the owner's birth date as the unlock code. The data contained in your employees' phones certainly have more value than the phone itself.
  • SMiShing: SMS attacks are becoming increasingly popular due to their rarity and lack of upfront filtering; they often have a higher success rate when well-executed by cybercriminals.

This list is not exhaustive but helps to realize the diversity of attack vectors presented by your employees' mobile phones.

Smishing impersonating Revolut

Revolut SmiShing attack using an uppercase "i" instead of the lowercase "l"

For context, between 2011 and 2014, three Romanian citizens undertook successive smishing and vishing attacks on American citizens. Their total proceeds amounted to 21 million dollars, which is 7 million per year.

The geographical distance from the United States did not protect them, as they were caught by the FBI in 2017, extradited in 2018, and were sentenced to 8 years, 7 years, and 4 years in prison, respectively, after pleading guilty.

Detecting smishing attacks is a challenging technical feat. Malicious SMS messages are much harder to detect and block automatically than phishing emails, and companies are often helpless against these attacks. MDM (Mobile Device Management) solutions can make devices compliant with the company's security policy, but they do not block or prevent malicious SMS and websites.

However, at-risk companies can defend themselves by educating their employees through simulated SMiShing campaign drills. This experience, very close to real-life conditions, allows trapped employees to become aware of the danger and adopt the right reflexes in future simulation campaigns or real attacks.

The Future of Phishing

Predicting the future of phishing is no simple task; if it were, we wouldn't need to dwell on it. Indeed, phishing, like other forms of cybercrime, is a cat-and-mouse game: the one who outsmarts the other's advancements will win.

Brainstorming Research

However, we can make some predictions about the techniques that will develop in the coming years and those that will become increasingly rare. For instance, it's clear that less sophisticated mass attacks will never find their way into your email inbox in the future, as is already the case for many low-technicality attacks.

Conversely, spear-phishing attacks will continue to grow, sometimes requiring significant human and technical skills to execute. Cybercriminal gangs — whether hacktivists, politically motivated, or simply driven by the lure of profit — have these resources. Like Rock Phish, Avalanche, Fancy Bear, or Emotet, they will continue to make headlines in the coming years with ever more staggering amounts of stolen money.

Vishing

"Vishing" is a contraction of voice and phishing, meaning it's phishing through telephone calls.

Similar to email phishing, it involves impersonating an individual or organization to obtain private or financial information for the purpose of defrauding the victim.

This criminal practice of social engineering has existed since the telephone but has become widespread with the advent of VoIP technologies that have automated the calling process and drastically reduced communication costs.

Here are a few classic vishing scenarios targeting both individuals and businesses:

  • Offering an exclusive refund following a double-glazing window purchase, claiming it's a tax credit.
  • Asking for confidential information while impersonating a mobile operator.
  • Acquiring banking information by pretending to be a supplier for whom a payment hasn't gone through correctly.

Unfortunately, there's not much to be done to protect against cybercriminals enticing you to divulge information about your company. Sometimes the fault lies with company receptionists and secretaries who don't always follow proper identity verification procedures.

Things get complicated when voice cloning is combined with vishing, making it very dangerous for anyone targeted. We believe that this vishing/voice cloning alliance will intensify in the coming years, eventually becoming a traditional phishing method.

Voice Cloning

"Voice cloning" allows, as the name suggests, duplicating an individual's voice from their original voice to make them say whatever one wishes.

Today, voice cloning is increasingly in demand in the market due to its varied applications: conversational assistants, smart speakers, film dubbing, digital characters, video games, audiobooks, GPS systems, etc.

However, the downside is that, as often with new technologies, voice cloning can be misused.

How would you react if your boss's boss called you to ask for confidential information on a contract you're working on? The only difference from reality is that the person you're talking to isn't your superior but a fraudster in action.

It's these kinds of attacks we must prepare to face in the future. The fight is already underway, as we see new solutions emerging that allow for the detection of voice cloning. But as these technologies evolve and machine learning models get better trained, it will become increasingly difficult to discern truth from falsehood.

Voice Cloning Market

Voice cloning forecast 2019-2026

As of now, voice cloning is not just a concept but a reality in the world of phishing. Large-scale scams have already occurred, costing the CEO of a German company a modest sum of 220,000 euros: "criminals used an AI voice-generating software to impersonate the boss of a German parent company that owns a UK-based energy firm"**.

Raising awareness that this technology exists and how sophisticated it is constitutes the first step in defending against this new threat. While technical solutions will indeed help us defend ourselves, they will not be 100% infallible. Our ability to critically assess a situation and verify the source and truth of information will become increasingly important in the world of tomorrow.

Deepfakes

The term "deepfake" is a portmanteau of "deep learning" and "fake." It's an image synthesis technique based on artificial intelligence used to create disinformation and malicious hoaxes.

Deepfake content is created through deep learning by applying neural network simulation to massive data sets to create highly realistic forgeries.

Much like voice cloning, deepfakes add a new dimension to deception: the person speaking that you see on your screen isn’t real but a clone.

Deepfakes that have been successfully used in spear-phishing attacks prove that a new concept is emerging.

Nonetheless, deepfakes raise numerous questions. Perhaps this new technique will not work as well as more traditional methods? Maybe deepfakes will be the primary cyber-threat by 2030? Currently, creating deepfakes requires considerable effort, and simpler techniques still work.

However, cyber-criminals have proven that deepfakes can work just as well as traditional methods, so we should expect to see an increasing number of such attacks in the coming years.

Conclusion

All indicators suggest that the threat of phishing as a cybersecurity attack vector is here to stay. Indeed, phishing is rapidly evolving towards higher levels of sophistication by leveraging the powerful capabilities of artificial intelligence.

The panic surrounding COVID-19, the American elections, and other significant events will only exacerbate the threat, providing an ideal environment for insidious phishing campaigns to flourish, targeting both individuals and businesses.

Preparing Well for D-Day

The best defense against phishing remains your intuition, judgment, intelligence, common sense, and caution.

Unfortunately, in a constantly changing world where everyone's attention span is decreasing and, typical of the Millennial generation, there's no longer a willingness to wait for things, it's becoming increasingly difficult to exercise caution before clicking a link.

That's why anti-phishing software is gaining importance, helping us better judge the situations we face. Nonetheless, some common-sense advice can prevent you from becoming the next victim.

Pay attention to the sender of emails you receive: Always read the email addresses of senders in your inbox. The devil is in the details: small spelling mistakes, homoglyphs, punctuation, etc., are signs that something is amiss.

Be cautious before performing an action that you're asked to do: Phishing emails generally ask you to perform certain malicious actions like clicking on a link or providing confidential information, bank account numbers, etc. These emails should alert you; when in doubt, pick up your phone and ask for confirmation through a means other than email.

Suspicious attachments: Malicious attachments are also a common phishing tactic. If you aren't expecting attachments from someone, it's better to avoid downloading anything and ask for confirmation by phone.

Source: *Lookout 2020 Mobile Phishing Spotlight Report; **The Next Web

Don't miss an article

No spam, ever. We'll never share your email address and you can opt out at any time.