Phishing: Past - Present - Future

As you all know by now, when I talk about phishing, I’m not referring to sitting by the lakeside, enjoying the sun with your favorite pole in hand.  However, your attackers could be fishing, while they’re phishing you, laughing at the irony of it.  The truth is phishing is not difficult and yet still extremely effective. The financial industry still bears the majority of phishing attacks in the United States, making up 59% of phishing attempts according to the 2018 NTT Security Global Threat Intelligence Report.  That number remains so high because phishing is just as effective today as it was in its inception in the early 1990s.  The type of phishing, how bad actors target their victims, and who is targeted has changed over the years, but the basic concepts and methods are still used.  Today, I want to walk through the evolution of phishing and where I think it’s heading in the future.

In the beginning, phishing primarily targeted individuals and took advantage of the market share leaders.  In the late 90s, a large number of the earliest recorded phishing attacks were directed at America Online (AOL), which was the primary provider of internet access with millions of people logging into the service each day.  These attacks would send an AOL instant message or email posing as an AOL employee needing to verify billing information or the users account would be terminated.  As most people had never heard of fraud of this nature, the vast majority would provide their information.

Moving to the early 2000s, phishing started to target online payment services.  In late 2003, dozens of registered domains were set up to look like legitimate payment sites such as eBay and PayPal.  Through this era, the primary target still appeared to be individuals.  This was a sheer numbers game, in which sending out enough phishing emails eventually paid off. With the emergence of the dark web and open-sourced dark web browsers such as Tor in 2004, the market for individual’s information was wide open. This led to a shift in targets. Why go after one individual’s information, when I can get hundreds from targeting a company that stores it? This takes us up all the way through some of the most publicized breaches including Target in 2013. 

The trend of spear phishing specific businesses continued into the dawning of Ransomware with high effectiveness.  According to Gartner Analysts, there were between two to three million successful Ransomware attacks in 2016 with some estimating revenue over one billion dollars.  I do not see Ransomware going anywhere in the near future, but I do believe that business account credential phishing will dominate the attacks in the next two years.

In 2017 there appears to be a shift in credential phishing with business-related platforms becoming the main focus. This is because business accounts provide the most actionable goods. With a compromised account an attacker could conduct internal BEC attacks (Business Email Compromise), man-in-the-middle, data theft/ransom, espionage, use your account as a trusted email phishing sender or merely password reuse attacks.  The phishing emails appear to be targeting businesses using popular cloud storage and commonly used products such as Adobe and Office365.  The phishing emails tend to follow the same predictable pretenses such as shared documents, account suspension, account verification, suspicious activity and yet are still very successful.

As our technology and training have improved, so have phishing techniques.  An emerging trend in credential phishing attacks appears to be DocuPhishing.  DocuPhishing attempts to bypass email filters, and when attachments are allowed, it is largely successful.  In this attack, the email does not contain links that users have been warned about time after time. However, the email does contain an attachment.  This attachment is seemingly harmless with no malware and can be scanned without triggering AV.  DocuPhishing is just one new example of the ever-changing but still effective world of phishing. 

It is also important to note, that many spear phishing attacks are very realistic and target a specific company.  Gone are the days of poor English and blanket phishing attacks.  In some instances, attackers are using legitimate commercial services such as leadiQ and Joe’s Data to collect targeting data and may already know your major vendors and products before crafting their targeted email.  With this evolving landscape, you must stay diligent in your training efforts and continue to give employees new scenarios and targeted internal phishing emails to help frontline employees help protect your financial institution.