Why phishing is not sophisticated and certainly not new
TLDR; The phishing-led attacks that we see today were first discovered on the AOL network in 1996. That was 25 years ago. To put that into perspective, Google wasn’t founded until 1998, and most of the Chrome engineers who represent Google across standards bodies today, didn’t graduate from college until the 2000s.
1996 — when the first phish was born
Welcome to 1996
Rather than face life without an Internet connection after the AOL trial period expired, some found a way to change their screen names to make it appear as if they were an AOL administrator like me. They used instant messaging, chat rooms, and email to trick members into handing over their passwords so they could hijack their accounts.
🎓 Phishing inside messaging services has been around since 1996 — we didn’t call it by that name. This fact alone should be enough to prove phishing is anything but new or sophisticated.
After impersonating me or one of my colleagues at AOL, “hackers” would pretend to be an employee and “phish” AOL members for login credentials to continue accessing the Internet for free.
The Internet has evolved so much it’s barely recognizable. The web is now interactive, making it super easy for anyone to create, upload, or share content. To combat phishing-led attacks on members, we investigated and blocked new dangerous URLs while banning their fake AOL accounts that impersonated employees. Like today, some of the process was automated.
Let’s jump 20 years to see how anti-phishing security has evolved with the internet. The year is 2016 — anti-phishing protection involves blocking new dangerous URLs, and accounts that impersonate people or entities on the internet. So, while the internet evolved into something new and wonderful by 2016, the approach to Internet Security remained the same.
🎓 Internet security continues to rely on blocking known danger.
Let’s take a phishing trip and see where we end up…
- “The Anti-Phishing Working Group (APWG) observed that 2016 ended as the worst year for phishing in history.”
- 1000% increase in phishing attacks from 2016 to 2017.
- “Phishing attempts in 2018 more than DOUBLED.”
- “Phishing attack volume grew 40.9% from 2018. This is the worst period for phishing that the APWG has seen in three years, since the fourth quarter of 2016”
- “The worst on record for victims of internet crime in the US.”
- “The most common internet crime was phishing.”
- “2020 is the worst year on record for phishing.”
- “The first half of 2021 shows a 22% increase in the volume of phishing attacks over the same time period in 2020.”
- The second half of the year is typically worse for phishing than the first half — see 2020, point 4 for evidence.
- Data paints a bleak picture — 2022 will be the worst year in history for phishing.
💡 The cybersecurity industry hasn’t created anything new or different for anti-phishing protection this year, so there’s no reason to believe organizations will be better protected with more of the same tech. As we’ve seen, the cybersecurity industry hasn’t made any progress on combating phishing-led attacks since 1996 — in fact, it’s getting worse EVERY year with no data to suggest this trend will change in the next few years. Some might look at the data and conclude that industry should try a completely different approach to see if we can achieve a different outcome.
I’m hoping that by now, you no longer think phishing is new or sophisticated. It has been around since 1996, involving a deceptive URL that takes you to a counterfeit webpage, download, or service. Nothing has changed.
Back to 2021…
Every time there’s a phishing-led attack, the security industry, and every media outlet claims it’s “new and sophisticated”.
Microsoft is one of the biggest email service providers in the world. It’s also one of the biggest security vendors in the world, so they should know everything there is to know about phishing and how to stop it…
“Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds…”
On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate email service, Constant Contact to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.
Proofpoint is one of the world leaders in anti-phishing security (acquired in 2021 for $12.3bn). Let’s see what they think about phishing in 2021…
“Trust every URL on the Internet.”
The approach to anti-phishing in 2021 is the same approach that we took at AOL in 1996 — “block known danger” or “assume every URL on the internet is safe until they’re discovered, and classified as “dangerous”.
Something different — Zero Trust
What if we took the opposite approach to anti-phishing security — “never trust a URL, always verify”? I call this “Zero Trust URL & Web Access Authentication.”
I’ve taken the following two paragraphs straight from Palo Alto Networks to best describe the concept of Zero Trust:
“Zero Trust is a strategic initiative that helps prevent successful data breaches by eliminating the concept of trust from an organization’s network architecture. Rooted in the principle of “never trust, always verify,” Zero Trust is designed to protect modern digital environments by leveraging network segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying granular user-access control.”
“Zero Trust was created by John Kindervag, during his tenure as a vice president and principal analyst for Forrester Research, based on the realization that traditional security models operate on the outdated assumption that everything inside an organization’s network should be trusted. Under this broken trust model, it is assumed that a user’s identity is not compromised and that all users act responsibly and can be trusted. The Zero Trust model recognizes that trust is a vulnerability. Once on the network, users — including threat actors and malicious insiders — are free to move laterally and access or exfiltrate whatever data they are not limited to. Remember, the point of infiltration of an attack is often not the target location.”
⛔️ The last time I checked, Palo Alto Networks didn’t offer a Zero Trust strategy for URL & Web Access Authentication. When it comes to their security offerings, anything related to anti-phishing (URLs) goes through a “filter” — i.e. the legacy approached described above.
Unless a security system never trusts a URL unless verified, it can’t enable a Zero Trust strategy. Zero Trust = 0 Trust. It’s binary, in the same way that cars powered by any kind of fossil fuel cannot be called an “electric car” (hybrid is a different classification).
Zero Trust URL & Web Access Authentication
If “Zero Trust” is rooted in the principle of “never trust, always verify”, a Zero Trust strategy for URL & Web Access would automatically block every URL on the Internet that fails to authenticate. To do this, a massive data set of verified URLs is required.
Using AI/ML/Regex or anything else to make a determination while a URL is in transit, is the opposite to Zero Trust — that’s traditional security as described above. Applying new shiny things to an old methodology doesn’t change the methodology.
If you’d like to go really deep on this, I wrote an article at the request of the PKI Consortium formally known as the CA Security Council — the security vendors that sell SSL certificates and EV for website identity. Everything I wrote back then, applies today. And this article will likely stand the test of time in 20 years from now, unless industry tries a different approach.
👉 To find out what a Zero Trust strategy looks like for SMS, go here.
👉 To find out what a Zero Trust strategy looks like for desktop computers, go here. (Technically, business customers must block access to unverified URLs, rather than relying on a grey shield, to enable a Zero Trust strategy.)
If you find another product or service that enables a Zero Trust strategy for anti-phishing protection, please let me know and I’ll update this article, or explain why it doesn’t really do what it claims on the tin.
If you enjoyed my article on Zero Trust SMS, you might enjoy this one — where I describe the differences between email and SMS in the context of phishing attacks.