The history (and future risks) of phishing attacks

The history (and future perils) of phishing

Cyberattacks are on the rise, and healthcare organizations continue to face constant attacks. Today, 92 percent of all malware is delivered via email, and spam represents half of all email, according to Avanan, an email security vendor. Malicious phishing attacks have increased 250 percent this year. These email-based attacks are getting more sophisticated and pervasive, leading to a rising focus on training and preventive measures. Creating an effective defense requires understanding how phishing has evolved over time and how hackers are crafting the attacks of the future.

Avanan's information on phishing can be found here.

Email’s beginnings

Message exchange via computer had its start in 1065, when MIT’s Compatible Time-Sharing System stored shared files and messages on a central disk, and users were able to log in from remote terminals to access them. In 1971, ARPANET enabled users to send messages between different computers. A computer scientist, Ray Tomlinson, is credited with introducing the “@” symbol as a way to target messages to specific recipients. And in 1977, DARPA finalized the first email standard with ARPANET, including fields for “To” and “From” and the ability to forward messages.

Spam—too much of a good thing

It wasn’t long after that—1978, in fact—that the first mass emailing occurred. An email was sent to 397 ARPANET users. This was so unpopular that no one attempted to send a mass email message for another decade. Those were the good old days…

Email became recognized as a security threat in 1988, when “spamming” was a prank started of multi-user dungeon games. Players would flood their rivals’ accounts with junk email, crashing their systems and preventing them from playing. Thank goodness we have more powerful computers now that can handle vast quantities of email.

It gets a name

In 1993, junk email was first referred to as spam, gaining the moniker from a skit of the same name by Monty Python, a British comedy group. To celebrate, two immigration lawyers sent a mass message advertising their services in 1994, acknowledged as the second such attempt at mass marketing spam.

From annoyance to a big headache

In the 1990s, spam began to loom as a security threat, in part because email was never designed to be secure. In the 1990s, for example, random credit card generators began to emerge, used to generate credit card numbers to open accounts with America Online. In addition, individual accounts were hacked to send even more phishing messages to a victim’s contacts.

In fact, the term “phishing” first emerged in January 1996 on an AOL message board.

No one loved this virus

In 2000, The ILOVEYOU Virus was distributed, eventually infecting 45 million Windows-based PCs. Unsuspecting recipients opened an attachment to an email, unleashing a worm that overwrote image files and sent itself to all of a victim’s Outlook contacts.

The next year, the Sircam virus did significant damage to victims’ PCs. It had the ability to change email subjects and file names, making it harder to stop. The virus copied itself into an existing file on the user’s computer and sent itself to the victim’s email contacts, while a second file in the PC’s recycling bin would write text until the hard drive was filled.

Efforts emerge to blunt the attacks

In 2002, the European Union and the U.S. passed laws banning direct marketing emails without the prior consent of recipients. These have been largely ineffective. In addition, anti-spam security technology solutions were introduced in 2002. Even so, the number of spam emails exceeded legitimate email for the first time in 2003.

Domain spoofing gets fancy

In 2003, as exemplified by the MiMail Computer Worm, hackers began to use domain spoofing to make it look like an email was coming from a trusted company or business partner. Clicking a link in an email triggered a popup window, and when recipients attempted to log in, their user name and password were sent to the hackers. In 2004, deceptive fund-raising emails were sent to supporters of John Kerry; their donations went instead to scammers who didn’t have any connection to the campaign. By 2005, anti-spam programs started verifying senders to prevent domain spoofing.

Cloud impacts interactions with email

Since 2006, technology has changed how we interact with email—in addition to hosting email services, the cloud offers the ability to introduce security to that cloud.

However, the risk of phishing attacks still looms large. For example, in 2009, attackers mount Operation Phish Phry to steal $1.5 million using phished log-in credentials and account details. The attack targeted thousands of account holders of banks in the U.S.

Big-time results from phishing

The effects of phishing gained national prominence beginning in 2013. That’s when hackers gained access to the payment data of 110 million shoppers of Target. The hackers aimed their attack at employees of Target’s HVAC vendor. That gambit allowed entry into Target’s information systems.

Even more famously, Russian hackers sent phishing emails to the staff of the Clinton campaign over two weeks. A single employee was fooled into giving login credentials, which enabled them to eventually access the entire network of the DNC, steal crucial emails that were later leaked, and probably influenced the outcome of the 2016 election.

Rising risks for business operations

As the Internet becomes pervasive in enabling organizations to function better, phishing risks are rising. “Information technology and business are becoming inextricably interwoven,” notes Bill gates. “I don’t think anybody can talk meaningfully about one without talking about the other.”

The use of the cloud poses significant risks. For example, Office365 had nearly 150 million users in 2018, while Google and its G-suite boasts of more than 1.5 billion users. Not surprisingly, threats to cloud security in Office365 has increased 63 percent from 2017.

Massive security risks

This year, nearly 4.7 billion phishing emails are sent every day, Avanan’s report says. In 2018 the FBI received nearly 50,000 reports of phishing and compromised email, costing a total of $1.8 billion.