Phishing dates back to the 1990s, coinciding with the global expansion of the internet. One of the first known phishing attacks targeted users of AOL Instant Messenger (AIM). In these attacks, cybercriminals sent emails impersonating AOL, asking users to verify accounts or provide billing information. These emails, convincingly crafted with AOL’s branding, duped users into handing over sensitive data.

This early method of mass phishing involved sending malicious emails to a wide audience, hoping to entice a percentage into the trap. The stolen information was then used for various fraudulent activities, forcing AOL to update its security policies and raise user awareness about phishing.

As technology evolved in the early 2000s, so did phishing techniques, adapting to the rise of e-commerce and online transactions. Attackers started creating fake websites resembling popular businesses like eBay and PayPal™ to deceive users. This era also saw the emergence of mass phishing campaigns targeting banking and e-commerce sites to distribute malware.

Types of Phishing

1. Email Phishing: The most common type, where attackers send emails pretending to be from trusted sources.
2. Smishing: Utilizes SMS or other text messaging services to trick recipients.
3. Vishing: Involves voice calls, where attackers impersonate legitimate entities to extract personal information.
4. Spear Phishing: Targets specific individuals or groups, like a company’s accounting team.
5. Whaling: A form of spear phishing aimed at high-ranking executives.
6. Angler Phishing: A newer tactic where attackers impersonate customer service on social media to exploit public complaints against businesses.

How Cybercriminals Execute Phishing Attacks

Research: Gathering Information about the Target

1. Identifying the Target: Cybercriminals begin by choosing their targets based on their value, such as individuals with access to financial data or systems.
2. Collecting Data: They use various methods to gather information about the target. This might include:
   • Social Media Scanning: Looking at profiles on LinkedIn, Facebook, or Twitter to understand the target’s interests, job role, and personal connections.
   • Website Analysis: Studying the company’s website for employee names, roles, email formats, and company activities.
   • Public Record Search: Accessing publicly available records or databases to find additional personal information.
3. Creating a Profile: From this collected data, attackers build a detailed profile of the target, including their communication style, interests, and daily routines.

Crafting the Message: Designing the Phishing Communication

1. Selecting a Pretext: Based on the research, attackers choose an appropriate pretext or story for the phishing attempt. This could involve posing as a colleague, a bank, a well-known company, or a tech support entity.
2. Designing the Message: They create an email, text message, or social media message that closely mimics the style and branding of a legitimate source. This includes:
   • Using Authentic Logos and Branding: Matching the visual style of the legitimate entity.
   • Crafting Convincing Content: Writing content that matches the tone and language of the impersonated party and includes a compelling call to action.
   • Embedding Links or Attachments: Including malicious links or attachments that seem relevant to the pretext.

Delivery: Sending the Message

1. Choosing the Medium: Depending on the target’s preferences and habits, the phishing attempt could be delivered via email (email phishing), text message (smishing), social media platforms, or even voice calls (vishing).
2. Timing the Delivery: The message is sent at a time when the target is most likely to read and act on it, such as during business hours for a work-related pretext.

Exploitation: Manipulating the Recipient

1. Awaiting Action: Once the message is delivered, the attacker waits for the target to take the bait.
2. Interaction: If the target engages, the attacker might need to interact further, reinforcing the pretext and guiding the target’s actions.
3. Gaining Access or Information: The exploitation phase is successful if the target:
   • Clicks on a Malicious Link: Leading to a fake login page where credentials are entered and captured.
   • Opens an Attachment: Which could install malware on their device.
   • Provides Sensitive Information: Such as passwords, financial details, or other confidential data.
4. Data Extraction: The attacker uses the obtained information to access systems, steal data, or commit financial fraud.

Summary of Phishing Execution

In summary, the execution of a phishing attack is a meticulous process that involves in-depth research, careful crafting of deceptive messages, strategic delivery, and exploitation of the recipient’s trust. Each step is designed to build upon the other, creating a convincing and effective trap for the target. Understanding this process in detail is key to developing robust defenses against phishing attacks.

Scenario: Phishing Attack on a Financial Manager

Target: Emily, a financial manager at a medium-sized corporation.

Research: Gathering Information

1. Identifying the Target: The attacker chooses Emily due to her access to the company’s financial systems and accounts.
2. Collecting Data:
   • Social Media Scanning: They examine Emily’s LinkedIn and Facebook profiles, learning about her job role, professional connections, and personal interests, like her involvement in local charities.
   • Website Analysis: The attacker studies the corporation’s website to understand its business model, financial dealings, and employee email format.
   • Public Record Search: Additional information such as Emily’s address and previous employment history is gathered.
3. Creating a Profile: A comprehensive profile of Emily is created, including her work habits, communication style, and potential vulnerabilities.

Crafting the Message

1. Selecting a Pretext: The attacker decides to pose as a well-known financial software provider used by Emily’s corporation.
2. Designing the Message:
   • Authentic Logos and Branding: The email crafted includes the software provider’s logo and mimics its official email template.
   • Content: The email states that there’s an urgent need to update the financial software due to a security patch, with a link to initiate the update.

Delivery: Sending the Phishing Email

1. Choosing the Medium: Email is chosen as it is a standard communication method in Emily’s work.
2. Timing: The email is sent during business hours to increase the likelihood of a prompt response.

Exploitation: Gaining Access

1. Awaiting Action: The attacker waits for Emily to engage with the email.
2. Interaction: Emily, believing the email to be legitimate, clicks on the link.
3. Gaining Access:
   • Malicious Link: The link directs Emily to a counterfeit webpage mimicking the software provider’s login page.
   • Data Capture: Emily enters her login credentials, which are immediately captured by the attacker.
4. Data Extraction: With Emily’s credentials, the attacker gains unauthorised access to the financial software, potentially leading to data theft or financial fraud.

Conclusion

In this example, the attacker successfully executes a phishing attack by methodically researching the target, crafting a convincing message, strategically delivering it, and exploiting the target’s trust and response. The attack’s success hinges on the attacker’s ability to create a believable pretext and to exploit Emily’s sense of urgency and responsibility towards maintaining software security. This scenario underscores the importance of vigilance and awareness in recognising and preventing phishing attempts.

Protecting Against Phishing

• Awareness Training: Regularly educating staff and stakeholders about phishing and its various forms.
• Verification Processes: Encouraging double-checking of unusual requests through independent channels.
• Technological Measures: Implementing email filters, anti-malware programs, and updating systems to defend against known threats.
• Incident Response: Having a plan in place for responding to suspected phishing attempts.

Staying Informed

• Google’s Phishing Quiz: An interactive tool to test your ability to identify phishing attempts.
• Phishing.org: Provides updates on the latest phishing trends and resources.
• Anti-Phishing Working Group (APWG): Offers detailed reports on phishing activities and trends.

Phishing tactics have grown increasingly sophisticated, and while no perfect solution exists to prevent all attacks, awareness, education, and the right technological tools can significantly reduce their success rate. As a cybersecurity professional, sharing knowledge and fostering a culture of vigilance is a key responsibility in the fight against these evolving threats.