The New Faces of Phishing (Part I)

The New Faces of Phishing (Part I)

Phishing has long been associated with cybercrimes that use deception – particularly, social engineering – to dupe victims into disclosing personal or financial account data. Once disclosed, these data are then used to perpetrate (financial) fraud. In the past, the deception part of a phishing attack has commonly been delivered via unsolicited email, spam. Attackers first sent spam to thousands and later millions of recipients with confidence that some recipients would fall victim to the deception, click on a URL embedded in the email, visit an impersonation web site, and unwittingly disclose credit, personal or sensitive data (e.g., usernames and passwords). This traditional face of phishing is still present but no longer the prevalent or only form in the current threat landscape.

The Modern Faces of Phishing

The complexion and complexity of phishing can be illustrated through the ways in which phishing attacks have evolved:

Delivery and distribution.

Phishing attacks are now perpetrated through social media. Attackers lure victims to impersonation web sites by incorporating phishing URLs into posts or comments. Attackers target Facebook, LinkedIn, Twitter, Tumblr, Snapchat, Google+, Instagram and other social media users with thousands of phishing or otherwise malicious URLs {daily/monthly?}. Attackers also distribute phishing lures in text, SMS, Skype, Messenger, or other messaging services. These new attack vectors demonstrate that phishers have adapted to society’s increased mobility and today’s diversity of messaging platforms.

Target acquisition.

Attackers now seek larger financial rewards than they can expect from widely distributed spam. In particular, they investigate wealthy individuals or individuals with access to corporate or government financial accounts or sensitive data. Such individuals are considered big catches or whales. Attackers use web sites, blogs, and social media to identify these high-value targets. They use information they gather to personalize targeted or spear phishing attacks against these individuals. Other forms of targeted phishing have evolved from spear phishing attacks: CEO Fraud phishing attacks impersonate correspondence from executives to dupe employees who are responsible for finances to make wire transfer payments for fake invoices, and similar forms of this Business Email Compromise combines email account spoofing to acquire sensitive business data.


Attackers still seek direct financial rewards through coercion but they are now motivated to acquire sensitive data on behalf of state actors or to sell on deep websites. To this end, attackers use social engineering to convince email recipients to install malware that is attached to email messages. One form of malware in such attacks is a root kit, which installs on the victim’s computer and provides attackers with remote administrator privileges and thus the means to access sensitive data or run surveillance or data exfiltration software on the infected computer. Banking Trojans are a second kind of malware that is delivered in phishing email: one form of banking malware uses keylogging to capture account credentials when the victim visits his financial institution online.

Today, ransomware dominates the phishing attack surface; here, attackers embed hyperlinks that lead the victim to a malware download web sites. Once installed, ransomware either locks the user out of his computer, or encrypts files entire hard drives on the computer, and then posts a demand to the user that demands a payment or ransom in return for the means to unlock or decrypt his data. Ransomware attackers are often quite elaborate in their planning: they provide FAQs about ransomware that include instructions that victims must follow to pay ransoms using cryptocurrencies such as BitCoin.