Democratic presidential nominee Hillary Clinton has a hacking problem.
More specifically, her campaign’s chairman John Podesta had his personal Gmail account compromised earlier this year. The hack was allegedly perpetrated by the Russian government, and loosed over 50,000 emails; Wikileaks has since published thousands of those emails.
Some of those emails have led to discomfort in the Democratic Party in the final month leading up to Election Day on November 8. More often, the emails reveal the inner workings of Clinton’s presidential campaign across the past year, insecurities and all.
How is it that a man such as Podesta, in such a position of importance, had his email compromised? Turns out he’s just as susceptible to social engineering hacks as your Uncle Morty.
Podesta’s email was apparently accessed by a simple social engineering tactic, called “phishing”:
- Hackers emailed him posing as Google’s Gmail account services department.
- They then told him his password was compromised, and provided a false link to a place to change his password (this appears to be where Podesta went wrong, eventually clicking this link and entering his information).
- Before doing anything else, Podesta’s chief of staff forwarded that email to the Clinton campaign’s internal computer security department.
- A Clinton campaign help desk staffer, seemingly fooled by the ruse himself, called the email “legitimate.”
- He then asked Podesta’s chief of staff to ensure that Podesta had two-factor authentication turned on (which adds extra security to his account), and to change his password.
Despite the campaign staffers sending Podesta the correct email link from Google to reset his password, Podesta seemingly clicked the original link.
Simply put: Rather than clicking a legitimate Google account link, he apparently clicked through to a fake website run by hackers. When he entered his account information, he handed over the keys to his Gmail willingly.
Phishing is a hacking tactic that’s actually older than computer-based hacking, and involves simple social engineering.
Rather than trying to find holes in Podesta’s personal internet security (using programs that guess password strings, for instance), hackers simply put on a disguise and tried tricking him directly. This is often done by either posing as a figure of authority or as an expert; in this case, the hackers posed as Gmail security (an expert) and had their disguise backed up by Clinton’s help desk staffer.
Even worse for Podesta, the human safeguards around him — his chief of staff, Sara Latham, and help desk staffer Charles Delavan — reconfirmed the disguise as “legitimate.” If this is indeed how it all went down, Delavan made a huge mistake.
There are two obvious red flags in the initial “phishing” email sent to Podesta:
First and foremost, you’re never going to get an email from Google with “googlemail” as part of the URL.
It seems legit, because if you go to www.GoogleMail.com, it redirects to Gmail. But Google doesn’t call it “Gmail” for nothing. A quick search of your own Gmail account for the string “googlemail” likely won’t turn up any legitimate results from Google. That’s because it’s a fake address that’s close enough to be believable.
But that alone isn’t enough to deem this fake.
The big giveaway here is the password change URL: a Bitly link. Google is never going to send you a Bitly link as an official link.
Bitly links are simplified versions of other links, like so:
- Here’s a Bitly link to my favourite RoboCop GIF: http://bit.ly/2f0JHCC.
- The full URL for that incredible GIF is: http://giphy.com/gifs/thank-you-robocop-for-your-cooperation-U8bDgsXcnIEFy
Get it? That means the Bitly link in the initial email sent to Podesta was actually hiding a URL — a fake site meant to look like Gmail account retrieval that actually served as a front for the hackers. Podesta enters his login and password, then he puts in a new one. Voila: The hackers now have both his old and new password, as entered by John Podesta.
(We obscured the Bitly link above in the email intentionally as it still leads to a potentially malicious website.)
But, to be clear, clicking through that Bitly link should have been another huge red flag for Podesta; the URL shows up with a “.tk” ending, the top-level domain name for Tokelau (a territory of New Zealand). And wouldn’t you know it, Google — being one of the biggest internet companies in the world — has no problem locking down .com URLs.