Phishing scam that hooked Clinton’s campaign chief a cautionary tale for businesses

Frequently overlooked in the ongoing hullabaloo over Hillary Clinton campaign chair John Podesta’s leaked emails and whether they will have an impact on the U.S. first lady-turned-senator-turned-secretary-of-state-turned-presidential candidate’s chances of being elected is the question of how hackers got their hands on Podesta’s inbox in the first place.

Over at Internet security firm Bitdefender’s news site, Hot for Security, contributor Graham Cluley did some digging and came up with the very first email that compromised Podesta’s account, illustrating a valuable lesson for businesses – and their IT departments – everywhere.

podesta-phish-1

“At first glance the email, sent on March 19 2016, looks like a legitimate communication from Google warning that hackers have used Podesta’s password to log into his Gmail account from Ukraine,” Cluley wrote in the Oct. 31 blog entry.

“Sounds urgent, right? And, sensibly, Podesta forwarded the warning to the Clinton campaign’s IT team asking what action he should take.”

Astonishingly, however, Clinton’s IT team concluded the e-mail was legitimate and urged Podesta to immediately change his password and turn on two-factor authentication.

podesta-phish-2

As Cluley notes, Clinton’s IT team did send Podesta the correct link to review his Google security settings, but it’s likely Podesta clicked on the link in the original message, which led to a fake – but likely convincing – sign-in page that the hackers had hidden behind a bit.ly link.

(In case you’re wondering, the link is broken as of this writing.)

podesta-phish-3

Once Podesta entered his user name and password into the fake link, the hackers were in.

Thus far, whistleblowing non-profit organization Wikileaks has released more than 36,000 of Podesta’s emails, and claims to have at least 14,000 more that will be released by Nov. 8, the date of the U.S. election.

While nobody knows the precise identities of the hackers, or who shared Podesta’s emails with Wikileaks, they “were clearly part of a wave of attacks masterminded by the notorious Fancy Bear hacking group, believed to have close ties to Moscow,” Cluley wrote.

Couched in the Clinton campaign’s embarrassment, however, is an important lesson for companies: If Podesta had already set up two-step verification on his account, learning his password wouldn’t have been enough for the hackers to break in.

Had he checked the link’s URL, he might have noticed that it led to “myaccount.google.com-securitysettingpage.tk” rather than “https://myaccount.google.com/security”.

And if he hadn’t been using the same passwords elsewhere, others wouldn’t have been able to hack into his Twitter and iCloud accounts using information gleaned from the emails.

“The truth is that the breach of the Clinton campaign chief’s email did not require sophisticated hacking skills,” Cluley wrote. “It just depended on the right combination of human error and carelessness.”

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Eric Emin Wood
Eric Emin Wood
Former editor of ITBusiness.ca turned consultant with public relations firm Porter Novelli. When not writing for the tech industry enjoys photography, movies, travelling, the Oxford comma, and will talk your ear off about animation if you give him an opening.

Related Tech News

Get ITBusiness Delivered

Our experienced team of journalists brings you engaging content targeted to IT professionals and line-of-business executives delivered directly to your inbox.