Are you my secret admirer? That was the question millions of people were asking 20 years ago when the Love Bug virus took the world by storm. Alternatively known as the “ILOVEYOU virus” or “Love Letter for you,” this social engineering attack infected approximately 50 million computers across the globe within ten days and cost billions to clean up.
When the Love Bug virus originated, Windows users received an email with an attachment claiming to be a love letter. The virus would use Visual Basic scripts in Outlook as an entry point, and once within an individual’s email account, would send the phishing email to everyone in their contact list. The message read, “Kindly check the attached LOVELETTER from me.”
In a heartbreaking turn of events, the victims of the attack would soon discover the email’s true purpose – and it wasn’t true love. To make matters worse, recovering from the overall damage caused by the attack, including removal of the infection and recovery of any deleted files, cost $10 billion.
The scam proved so serious that even the Pentagon and CIA shut down their email systems for a brief period of time. With reports of the attack emblazoned on the front page of most major news outlets on May 5, 2000, the Love Bug virus put email security threats on the map in a way they had never been before, exposing companies and individuals to the harsh realities of cyber threats.
When you break it down, Love Bug was pretty sophisticated. A computer worm, it propagated quickly, replicating itself to spread. Not only that, but it also did something that made it even more successful: it preyed on peoples’ emotions, ultimately luring those in search of love to click on the malicious attachment.
Love Bug is one of the earliest examples of a social engineering threat, with the Melissa virus preceding it and the Conficker worm following soon after. Unfortunately, we are still dealing with these types of attacks 20 years later! Social engineering attacks are commonly used by cyber thieves to wreak havoc and have morphed into sophisticated malware, phishing scams, ransomware, and more. This Valentine’s Day, let’s dive into this evolution of phishing attacks, some of the major trends over the past two decades, and how users can avoid taking the bait.
Phish #1: Criminal Deception
The first record of the term “phishing” was in 1996 in a Usenet newsgroup. While many did not know what it meant at first, it set the foundation for what was to come. Phishing attacks soon began on AOL, targeting users by sending messages impersonating AOL employees in an effort to steal their credentials. This technique became increasingly sophisticated as phishers started to craft more believable subject lines and pose as loved ones. Later, it evolved into conversation hijacking to trick users into thinking they were communicating with a person they trust. The most common form of criminal deception today is a spear phishing attack, in which a hacker does their research and pretends to know the individual they are targeting.
Phish #2: Business Email Compromise (BEC)
A more specific form of criminal deception, BEC relies heavily on social engineering tactics and creates a sense of urgency to click on an email. Also known as a “man-in-the email” attack, this type of phishing scam takes on the persona of a company executive to manipulate an employee or unlucky recipient to respond with sensitive information. These attacks happen so often in fact, that the FBI estimates BEC accounted for more than $26B in losses from 2016 to 2019.
Phish #3: Ransomware
Ransomware is still a hot topic of discussion to this day, though it really gained ground in the phishing realm in September 2013 with the birth of CryptoLocker ransomware. The malware was distributed to more than 250,000 computers, locking files and demanding a ransom payment in exchange for a decryption key. Email used to be the main method for delivering ransomware, but the saying “everything old is new again” applies here, as they are making a comeback and hackers are more often resorting to older, basic tactics.
Phish #4: Phishing as a Service (PHaaS)
As if there weren’t enough “phish” in the sea, over the past two years, a newer phishing tactic has come to light in the darkest parts of the web. In 2018, researchers discovered that hackers were heading to the Dark Web to sell actual phishing templates to make it easier for less advanced counterparts to deploy these attacks. Not only are these templates designed to look and feel authentic to the brand they aim to imitate, but the marketing tactics used to sell the products themselves are sophisticated, some even offering coupon codes for a better deal on the purchase.
Phish #5: Themed Attacks
While there are bound to be Valentine’s Day-themed phishing attacks popping into unsuspecting inboxes over the next few weeks, the most prominent example recently of themed phishing attacks are COVID-19-centric emails promising updates on the pandemic and information on vaccine distribution. Whether they are fabricated notices from a major health organization or claiming to be from an employer on updated procedures, there is no end to the fear, uncertainty, and doubt (FUD) that this stirs up.
Above all, these phishing techniques are just the tip of the iceberg as technology continues to evolve and attacks become more sophisticated, but they continue to serve as the basis for new techniques to come. To defend against sophisticated phishing scams, here are five tips for companies to follow:
- Invest in security awareness training to learn how to detect a phishing email.
- Ensure all systems are equipped with the latest security patches.
- Hover over suspicious links to verify their authenticity.
- Install an antivirus solution and/or anti-phishing toolbar and monitor regularly.
- Never provide personal information on the internet unless absolutely necessary.
To learn more about phishing trends over the past year, download our Phishers’ Favorites 2020 Year in Review report.