AOHell, or How Phishing Got Its Start

In a paper [PDF link] penned last year, Koceilah Rekouche recounts the earliest days of phishing. Surprise, surprise: it happened on America OnLine (or AOL). Here’s how the process worked:

1. Obtain an anonymous AOL account by creating one using a fake bank account number or credit card, or use an account that was stolen in a previous attack.

2. Create a screen name on the account that appears official (e.g. BillingDept). 

3. Write the “bait” message which will explain to users the need for us to “verify”their passwords or billing information. For example: “Hi, this is AOL customer service. Due to a problem with our records, we need you to reply to this message with your current password in order to avoid being disconnected.”

4. Locate a New Member Lounge chat room and open its occupant list.

5. Send a private message containing the bait to each person in the room.

The paper is quite revealing, and having read the whole thing, it’s obvious that the people behind the phishing attempts wanted to create a community of hackers. Rekouche discusses how AOHell, an early software created for the purposes of stealing passwords and credit cards, proliferated:

A major goal in writing AOHell was to gain a user base not just within AOL’s hacking community but, moreimportantly, to get users from outside this community and thus increase its size by recruiting and educatingnew people. This was extremely successful as the popularity of AOHell and similar programs were largelyresponsible for growing the warez, hacking, and programming communities to a point where they reachedthousands of participants. For each new release, and periodically in between releases, I would spam a copy ofthe program, along with a layman’s description of the things that it could do, to every person in the Teen Chatrooms. This was a very effective way of getting new people to use the program as email spamming had not yetcome about. Phishing was one component of the software, but most AOL teenagers were drawn by the otheradvertised functions such as the ability to “punt” their friends offline or the ability to scroll ASCII art in thechat rooms.

It’s a fascinating paper. For the pointer, I thank this Wall Street Journal post, in which you can make a contribution of how you’ve been hacked, if ever.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s