AOHell
AOHell is an early AOL-focused phishing tool associated with the origins of automated phishing in the mid-1990s. The provided content states that Koceilah Rekouche created AOHell and that the term "phishing" was coined in the context of this software. AOHell enabled large-scale phishing campaigns on America Online and provided an automated mechanism for stealing AOL user passwords and credit card information, with the phishing functionality operating starting in January 1995. The content describes it as the first publicly available automated phishing tool for password and information theft and notes that it was widely adopted by amateurs, leading to countless phishing attacks. Attackers reportedly used it to impersonate AOL staff in order to harvest credentials. The content further states that AOHell influenced many later automated phishing systems and that phishing activity subsequently expanded beyond AOL to other networks, eventually becoming a major threat affecting individuals, corporations, and governments. No specific technical indicators of compromise are provided in the content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
AOHell, an outlaw program designed to exploit bugs in the online service, making it easy to ... create pirate accounts.
"The history of phishing traces back in important ways to the mid-1990s when hacking software facilitated the mass targeting of people in password stealing scams on America Online (AOL)... The software provided an automated password and credit card-stealing mechanism starting in January 1995."
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Stealth
1 technique
Stealth
Command and Control
1 technique
Command and Control
Impact
1 technique
Impact
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An early phishing tool used on AOL to impersonate AOL staff and steal user passwords, associated with some of the first large-scale phishing campaigns.
An early publicly available automated phishing tool for AOL that enabled mass targeting of users to steal passwords and credit card information; it influenced later automated phishing systems.
An early publicly available automated phishing tool for AOL that enabled mass targeting of users to steal passwords and credit card information.
A named offensive tool referenced as having become widely adopted after media publicity; no further technical detail is provided in the content.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.