The New Face of Phishing

Dave Piscitello, VP Security, ICANN and APWG Board of Directors

Phishing has long been associated with cybercrimes that use deception – particularly, social engineering – to dupe victims into disclosing personal or financial account data. Once disclosed, these data are then used to perpetrate (financial) fraud. In the past, the deception part of a phishing attack has commonly been delivered via unsolicited email, spam. Attackers first sent spam to thousands and later millions of recipients with confidence that some recipients would fall victim to the deception, click on a URL embedded in the email, visit an impersonation web site, and unwittingly disclose credit, personal or sensitive data (e.g., usernames and passwords). This traditional face of phishing is still present but no longer the prevalent or only form in the current threat landscape.

The Modern Faces of Phishing

The complexion and complexity of phishing can be illustrated through the ways in which phishing attacks have evolved:

Delivery and distribution.

Phishing attacks are now perpetrated through social media. Attackers lure victims to impersonation web sites by incorporating phishing URLs into posts or comments. Attackers target Facebook, LinkedIn, Twitter, Tumblr, Snapchat, Google+, Instagram and other social media users with thousands of phishing or otherwise malicious URLs {daily/monthly?}. Attackers also distribute phishing lures in text, SMS, Skype, Messenger, or other messaging services. These new attack vectors demonstrate that phishers have adapted to society’s increased mobility and today’s diversity of messaging platforms.

Target acquisition.

Attackers now seek larger financial rewards than they can expect from widely distributed spam. In particular, they investigate wealthy individuals or individuals with access to corporate or government financial accounts or sensitive data. Such individuals are considered big catches or whales. Attackers use web sites, blogs, and social media to identify these high-value targets. They use information they gather to personalize targeted or spear phishing attacks against these individuals. Other forms of targeted phishing have evolved from spear phishing attacks: CEO Fraud phishing attacks impersonate correspondence from executives to dupe employees who are responsible for finances to make wire transfer payments for fake invoices, and similar forms of this Business Email Compromise combines email account spoofing to acquire sensitive business data.


Attackers still seek direct financial rewards through coercion but they are now motivated to acquire sensitive data on behalf of state actors or to sell on deep websites. To this end, attackers use social engineering to convince email recipients to install malware that is attached to email messages. One form of malware in such attacks is a root kit, which installs on the victim’s computer and provides attackers with remote administrator privileges and thus the means to access sensitive data or run surveillance or data exfiltration software on the infected computer. Banking Trojans are a second kind of malware that is delivered in phishing email: one form of banking malware uses keylogging to capture account credentials when the victim visits his financial institution online.

Today, ransomware dominates the phishing attack surface; here, attackers embed hyperlinks that lead the victim to a malware download web sites. Once installed, ransomware either locks the user out of his computer, or encrypts files entire hard drives on the computer, and then posts a demand to the user that demands a payment or ransom in return for the means to unlock or decrypt his data. Ransomware attackers are often quite elaborate in their planning: they provide FAQs about ransomware that include instructions that victims must follow to pay ransoms using cryptocurrencies such as BitCoin.

Phishing has evolved… and so has the AntiPhishing Working Group

Phishing affects everyone, from consumers and enterprises to governments and regulated financial services. The threat has never been greater and is worsened by the increased selective targeting of victims or organizations that have large sums of money or high-value intellectual property.

To contend with this new threat landscape, APWG members need more and better intelligence. APWG toolkits have evolved to meet this need. The APWG eCrime eXchange (eCX) now supports on-demand phishing data insertion and retrieval: this significantly improves an e-crime investigator’s access to fresh data. Additionally, the APWG now collects and shares more than just standard phishing indicators; specifically, APWG now provides data associated with cryptocurrency identifiers and malicious IP Addresses. As phishing continues its evolution the APWG will continue to expand the kinds of data collected by the APWG and its members.

APWG members also need reliable situational intelligence and security awareness. Through the eCrime conference, the APWG continues to raise awareness to the issues that arise with evolutions to phishing and their targets. The academic and industry research tracks of the conference give the opportunity for security researchers and practitioners to share new techniques to address challenges related to phishing as well as provide insights into real world case studies. The conference program exposes attendees to unique case studies, data or trend analyses, and most importantly, opportunities to network with some of the operational security community’s finest practitioners.

APWG members must also keep pace with global policies and regulations that affect cyber investigations. Crimes involving social engineering or phishing attacks necessarily oblige investigators to sift through large amounts of data. Increasingly, some of this data may be deemed personal or sensitive in one or more international jurisdictions. The APWG membership provides subject matter expertise and consultation to legislators who are responsible for defining privacy or data protection laws or regulations: this knowledge-sharing is necessary to ensure that the regulators make informed policy or regulatory decisions. APWG will continue to work with members and international governance bodies to define appropriate safeguards for collecting and sharing e-crime indicators among its members and other e-crime fighters. Most recently, the APWG has worked to make our data collection and sharing activities consistent with EU 2016/679 (GDPR), EU 2016/680, the APEC Privacy Framework, and requisite national regulations so e-crime fighters get access to the best data as soon as possible.

Closing remarks

As phishing - and e-crime in general -has evolved the crime fighters need to evolve, too. The APWG consults regularly with its members, other organizations, and international authorities and bodies to ensure that as phishing evolves e-crime fighters are prepared, too.