Earlier this year, John Podesta, the campaign chair for Hillary Clinton, the Democratic candidate for President of the United States, had his personal Gmail account compromised. U.S. intelligence has since attributed the hack, which resulted in the leak of 50,000 emails that reveal the internal communications of the Democratic Party and the campaign, to elements of the Russian government. Despite being a state sponsored attack, this hack wasn’t overly sophisticated nor was it the result of some zero-day technique. In fact, according to Business Insider, Podesta fell for the “oldest trick in the book” — a phishing attack.
How Phishing Exposed the Campaign’s Inner Workings
On March 19, 2016, Podesta received an email appearing to be sent from Google, which stated that his password had been compromised. The email included a link to allow Podesta to change his password, which he eventually clicked on. A technique called ‘spoofing,’ hackers send an official looking email from a well-known service provider that instructs the receiver to take steps in order to protect finances or personal information. Before this, however, Podesta’s chief of staff forwarded the email to the campaign’s internal cybersecurity department – who responded proclaiming the email as “legitimate,” although the bit.ly link contained in the email should have certainly raised the IT team’s suspicions. This just goes to show that even trained security professionals find it hard to decide whether an email is authentic or not without going through a deep forensics process, so how can we expect the end user to make this verdict at a glance?
Unfortunately for Podesta, the email was not legitimate, but a targeted phishing attack strategically developed to exploit the campaign’s inner workings. The email was simply a rouse to trick Podesta into clicking a false link, owned by the hackers, and giving them full access to his account information. Currently, as the U.S. election creeps closer to conclusion, the cyber criminals responsible for the hack are releasing emails daily; prompting many foreign affairs experts to proclaim that Russia is trying to influence the vote.
The phishing attack on Hillary’s campaign is just the most recent example of organizations’ employees unknowingly providing sensitive information to cyber criminals. In February, Snapchat reported that a hacker impersonating the CEO sent a phishing email to the company’s payroll department, which resulted in the exploitation of confidential information on its current and former employees. Similarly, Seagate Technology fell victim of a phishing attack earlier this year, which fooled one employee into sharing W-2 tax documents on its current and past employees.
Aiding decisions with IRONSCALES
Above all we find that users are having hard time judging whether an email is legit or not. this problem is in some ways inherit with how email clients are built (User Experience) and how the email protocol is designed.
Users need more real-time information after an email lands in their mailbox to help them better understand whether the email is legit or not.
For Podesta’s Chief of staff, it might have been useful to have had some more insights on the email sender and link destination before making the decision to click on the link.
So we decided to simulate the exact same attack just to see how our IronTraps solution could have aided in making the right decision in this particular case.
IronTraps, a patent-pending, automatic phishing incident response module, automatically detects and blocks email phishing attacks in real-time, followed by an enterprise-wide remediation response. If the Clinton campaign had IronTraps installed… Podesta would have received the following alert on the spoofing email:
With one click of a button, Podesta would have been able to report the suspicious email to trigger the following sequence of events. Once the report button was hit, IronTraps would have immediately scanned the links and executed all the necessary checks to determine the most appropriate remediation response. At this point, the software would have identified the email’s bit.ly link as malicious and an automatic remediation response would have been issued to disable the link and remove the email from every employee’s inbox. Then, a signature would be assigned to the attack to ensure the same cyber attack would not happen again. Finally, a message would have been sent in parallel to the SOC or IT team for further inspection.
While it’s too late to undo the damage the phishing attack had on the Democratic nominee for President, political organizations and businesses of all sizes should recognize now, more than ever, the importance of a comprehensive phishing mitigation solution to combat increasingly frequent and complex attacks. As part of its full solution, IRONSCALES identifies and remediates malicious spoofing emails that are intentionally developed by cyber-criminals to deceive to the human eye. To learn how IronTraps remediated a targeted phishing email attack on a financial services company, read our latest use case.
(Eyal Benishti is the CEO of IRONSCALES. This post was published on the firm’s blog on November 6, 2016).