History of PhishingWritten by Carl E. Reid on February 12, 2009
Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technologies. How did Phishing come about?
The word “phishing” originally came from the analogy of early Internet criminals using email lures to “fish” for passwords and financial data from a large sea of unsuspecting Internet users. The use of the “ph” in this terminology has been forgotten about over time. It was most likely linked to hacker naming conventions such as “Phreaks”.
This can be traced back to early hackers who were involved in “phreaking” – the hacking of telephone systems. The term was coined during 1996, by hackers who were stealing America Online (AOL) accounts. They were picking off passwords from AOL users. The first mention on the Internet of phishing was made in 2600 hacker newsgroup in January 1996, however the term may have been used even earlier in the popular hacker magazine called “2600”.
In the early days of AOL you could create a fake account as long as you had a credit card generator. AOL smartened up to this technique. AOL now uses banks to verify every credit card submitted. By 1996, hacked accounts were called “phish”. By the time 1997 rolled around phish were actively being traded between hackers as a form of currency. There are instances where Phishers would routinely trade 10 working AOL phish for a piece of hacked software. This type software was referred to as “warez“, which is stolen copyrighted applications and games.
The earliest media reference to phishing wasn’t made until March 1997. “The scam was called ‘phishing’ — as in fishing for your password, but spelled differently” said Tatiana Gau, vice president of integrity assurance for AOL.
In 1997 Ed Stansel, reporting for the Florida Times Union, said “Don’t get caught by online ‘phishers’ angling for account information,”
Over time, the definition of what constitutes a phishing attack has blurred and expanded. The term Phishing does not just cover obtaining user account details. Now phishing includes stealing all personal and financial data. In the early days phishing entailed tricking users into replying to emails for passwords and credit card details. As we know now, phishing has expanded into fake websites, installation of Trojan horses by key loggers and screen captures. Then we have the “man in the middle” data proxies, which can be delivered through any electronic communication medium.
The combination of phishers’ high success rate and negative global economies, has resulted in scams escalating. An off-shoot to the classic phishing scam now includes the use of fake job sites or job offers. Applicants are being conned with the promise of making a lot of money for very little work. All a person has to do is create a new bank account. Then take the funds that have been transferred into it, minus their personal commission, and send it on as an international money order. As experience teaches us, this is a classic money laundering scheme. Hence, the phishing past still keeps coming into the present.