In 2022, according to the analysis firms Radicati and Statista, no fewer than 3.4 billion phishing emails are sent every day. This dizzying figure prompts a number of questions. How does a phenomenon that has been so well known for decades manage to slip through protection mechanisms year after year? And what are its most recent developments? We examine a phenomenon that continues to claim victims.
But what is phishing? This malicious technique is intended to trick a third party into performing a dangerous action in order to steal personal information such as passwords, birth dates, credit card numbers or copies of identity documents. To do this, this technique uses different spoofing methods (site spoofing, domain name spoofing, identity spoofing, etc.) and different channels (email, SMS, etc.). A definition by Mitre Att&ck expands this description to include the possibility of emails containing malicious attachments or links. Today, 91% of cyberattacks still use email as the primary vector of compromise. This situation has led to awareness-raising actions on a national scale, such as the “Think Before You Click” campaign by Belgium’s Center for Cybersecurity. In the face of such activity, it is worth asking the question of where this type of attack comes from, and how it has entered widespread use among cybercriminals.
The small-scale beginnings and early developments of phishing
The word “phishing” was coined in 1996 on a Usenet newsgroup called AOHell. To emphasise that this attack was based on spoofing, the author deliberately changed the spelling from “fishing” to “phishing”. The spoofing of user access to AOL accounts paved the way to what would later become a basic trend among cybercriminals: the ability to target the customers of a large company on a widespread basis. “When phishing emerged, its primary targets were individuals, via consumer brands,” adds Adrien Gendre, Chief Tech & Product Officer at Vade. “The AOHell episode is a perfect example, as America Online was a strong brand and a major player in the ISP market at that time. This enabled millions of users to be targeted from the same scenario.”
In the past, individual actors had been generating illicit income from a handful of victims. Now, what we are seeing is structured cyber-criminal organisations, using phishing for revenue generation, industrial espionage or economic warfare. This has led us to the emergence of phishing activity impersonating B2B brands.Adrien Gendre, Chief Tech & Product Officer, Vade
On this basis, the “Spray and Pray” concept was born in the 2000s. This describes a phishing campaign that impersonates a world-famous brand and indiscriminately targets email addresses on a massive scale. Lottery winnings, charity campaigns, closing your bank account... any subject can be used for swindling victims. The first phishing campaigns were easily recognisable: they contained numerous spelling mistakes, typos, and poor-quality images, and the meaning of the message could vary widely due to the lack of an online translator. At the same time, the concept of clone phishing also emerged. It had a simple aim: to usurp the identity of well-known brands used in everyday life, both personally and professionally. According to Adrien, this was a paradigm shift: “A whole economy has sprung up behind phishing. In the past, individual actors had been generating illicit income from a handful of victims. Now, what we are seeing is structured cyber-criminal organisations, using phishing for revenue generation, industrial espionage or economic warfare. This has led us to the emergence of phishing activity impersonating B2B brands.” Adopting the new practices, cybercriminals then target email, storage spaces and even shared documents on Microsoft 365 and Google Workspace. In February 2022 alone, nearly 23 million phishing emails impersonating the Microsoft brand were detected by the publisher Vade.
Cybersecurity vendors are responding to this threat with anti-phishing filters (based on envelopes, objects, content or IP addresses for the email) and other two-factor authentication technologies. In an attempt to fly under the radar, cyber-criminals are starting to steal individuals’ identities. The purpose of this technique is to compromise an employee’s email account (BEC, or “business email compromise”) with the aim of appropriating his or her identity from employees, customers and partners, as in the examples of CEO fraud attacks. “CEO fraud is used for financial extortion,” says Adrien. And it’s frequently conducted during holiday periods, when the manager is away. This is a highly effective fraud, because it enables extremely large amounts of money to be stolen from a company with a simple email.” This is precisely what happened to a property developer who was the victim of a record 33 million-euro CEO fraud in France in January 2022. Although the exact date remains unclear, these first targeted attacks are believed to have emerged between 2014 and 2015 in the US, and now coexist with “simple” phishing techniques.
This type of phishing scheme was also to be emulated in the 2000s. Indeed, a mechanism similar to phishing was observed on MSN, Hotmail and ICQ online messaging systems, and later on Facebook. Known as romance scams, these spoofs are most often the work of cybercriminals working in organised teams. These cybercriminals – also known as dating scammers – charm women, usually widows, in order to extort large amounts of money. And men are not immune, either: they can be victims of sextortion and webcam attacks. This technique is heavily inspired by phishing, and plays on the Internet user’s credulity.
The increasing complexity of phishing campaigns
In response to the countermeasures by cybersecurity software publishers and a certain maturity of the public towards the threat, phishing campaigns have become more sophisticated, and have included a stronger psychological aspect. A phishing campaign is always about getting the victim to do something; a simple e-mail is not enough. The message must be such that it drives the victim to click, through a sense of emergency, fear, stress or even greed. “Cybercriminals will use their victims’ primary emotions to ensure maximum click-through, most often fear,” says Sébastien Viou, Director of Cybersecurity Products and Cyber Evangelist Consultant at Stormshield. “Fear of losing money, fear of having their subscriptions cancelled, fear of being made redundant; these fears are often uncontrollable, and provoke an instinctive, rapid reaction. That’s why this type of attack is so successful...”
Cybercriminals will use their victims’ primary emotions to ensure maximum click-through, most often fear. Fear of losing money, fear of having their subscriptions cancelled, fear of being made redundant; these fears are often uncontrollable, and provoke an instinctive, rapid reaction. That’s why this type of attack is so successful...Sébastien Viou, Director of Product Cybersecurity and Cyber-Evangelist at Stormshield
Using phishing campaign automation tools such as Gophish or Sniperphish, cybercriminals now employ ready-to-use capture page templates and email templates. And to deceive their victims, these cybercriminals are adapting to new society fashions and practices. After years of focusing on global banking services, social networks are now becoming the lure of choice. Over the 2019-2021 period, Facebook, LinkedIn, and WhatsApp become the most commonly-spoofed brands in this type of campaign, alongside brands like Google and Apple. Following successive waves of Covid-19, delivery brands were in turn targeted in 2021: DHL, FedEx, Amazon and AliExpress are among the top 10 most spoofed brands.
In response to increasing vigilance from detection systems and users, cybercriminals are implementing new tactics. Typosquatting (buying a domain with a similar name) is one of the most commonly-used mechanisms, as it is one of the cheapest. By hosting a phishing page on a domain that is very close to the original domain, victims do not realise that they are visiting a phishing page. In most cases, the site is similar to within one letter (such as the example of mcrosoft.com instead of microsoft.com). As of July 2022, more than 1,000 neighbouring domains for .fr addresses were registered. Displaying a false validation of the received email is another technique to catch the victim off guard. This involves the appearance of a fake banner in emails, in the form of an image signifying that the sender and the attachment are legitimate and that it has been validated by the filtering mechanism. The bigger the better. The phishing link has also been changed, and is now embedded in a chain of redirect links, so that anti-phishing filters are unable to reach the final URL. The body of the email has also been redesigned by cybercriminals and integrated into an image, to prevent text detection. Recently, a new obfuscation technique has emerged, as reported by Adrien Gendre: “In order to bypass logo spoofing detection filters, cybercriminals are now displaying logos not as a single image, but as a table consisting of a set of cells one pixel wide. The logo thus remains identical to the naked eye, but the table makes it more difficult to identify through an anti-phishing filter. This spoofing is nevertheless detectable with a visual analysis using a ‘computer vision’ algorithm.”
At the same time, database leaks containing email addresses or phone numbers (of which there are many) are a real goldmine for cybercriminals. The list of record data leaks includes Yahoo in 2013, with 3 billion pieces of customer data; Facebook in 2019, with 540 million pieces of data; and Instagram in 2020, with 200 million pieces of data. Over the period from 2004 to 2022, 353 exfiltrations and publications of databases with more than 30,000 records were recorded. Unfortunately for the victims, analysis of this wealth of data reveals the use of the same password, which is usually weak and used repeatedly on social network or email accounts. Such poor digital practices facilitate the compromise of accounts and, by analogy, the sharp increase in the number of victims of phishing. This knowledge of the victims has led to the development of related phishing campaigns.
Phishing is being exported to new media
After decades of flooding email inboxes, phishing is now being exported to new media.
The use of “smishing” (phishing by SMS) seems to have accelerated during the lockdown period, as Adrien Gendre reports. “Due to a sharp increase in the demand for home delivery over lockdown, the number of SMS phishing attacks increased significantly.” The theme of home delivery is now the most often-observed smishing scenario.
Due to a sharp increase in the demand for home delivery over lockdown, the number of SMS phishing attacks increased significantly. The theme of home delivery is now the most often-observed smishing scenario.Adrien Gendre, Chief Tech & Product Officer, Vade
SMS is not the only medium for these campaigns, as phishing campaigns are now being carried out on WhatsApp. They are also distributed on internal company messaging systems, such as Microsoft Teams and Slack. A variant in the form of a robotic voice called “vishing” (for “voice phishing”) has also emerged - but does not seem to have caught on. Sitting somewhere between scams and phishing, the proliferation of fake network accounts and job advertisements is providing cybercriminals with a means of duping victims. The mechanism is simple: downloading a job offer containing spyware caused an employee of the Sky Mavis company to have his blockchain access stolen in July 2022, resulting in the theft of 560 million euros.
The latest innovation is the so-called “Browser-in-the-browser” phishing attack, a strategy that displays a fake browser window. Victims who click on a login button believe they are loading a new authentication window, which turns out to be an illusion. The user has not changed windows, and the cyber-criminal displays a legitimate URL to throw the victim off their guard. The victim then unwittingly enters his or her credentials on the criminals’ site. Although very complex to detect, this last innovation has limitations on mobile phones.
In response to the question, “What is the future of phishing?”, Adrien says he can discern a trend towards automation: “Phishing will be highly automated in the near future. With text augmentation technology, it is now possible to generate hundreds of emails that have a common meaning, but use completely different texts. Phishing is therefore likely to move from a mass of blanket attacks to a mass of surgical campaigns in the coming years.” This automation technique seems to be inspired by the field of... SEO, and the GPT-3 algorithm. Faced with the use of such open-source technologies, cybersecurity vendors will be forced to innovate further to meet these new challenges.