Democratic presidential nominee Hillary Clinton has a hacking problem.
- Justin Sullivan/Getty Images
More specifically, her campaign’s chairman, John Podesta, had his personal Gmail account compromised earlier this year. The hack, which US intelligence agencies have blamed on the Russian government, revealed more than 50,000 emails; the website WikiLeaks has since published thousands of those emails.
Some of those emails have led to discomfort in the Democratic Party in the final month leading up to the November 8 election, revealing the inner workings of Clinton’s presidential campaign across the past year, insecurities and all.
How is it that a man such as Podesta, in such a position of importance, had his email compromised? It turns out he’s just as susceptible to social-engineering hacks as your Uncle Morty.
Podesta’s email was apparently accessed by a simple social-engineering tactic called “phishing”:
- Hackers emailed him posing as Google’s Gmail account-services department. They then told him his password was compromised and provided a false link to a place to change his password (this appears to be where Podesta went wrong, eventually clicking this link and entering his information). Before doing anything else, Podesta’s chief of staff forwarded that email to the Clinton campaign’s internal computer-security department. A Clinton campaign help-desk staffer, seemingly fooled by the ruse himself, called the email “legitimate.” He then asked Podesta’s chief of staff to ensure that Podesta had two-factor authentication turned on (which adds extra security to his account) and to change his password.
Even though the campaign staffers sent Podesta the correct email link from Google to reset his password, Podesta seemingly clicked the original link.
Simply put: Rather than clicking a legitimate link from Google, he apparently clicked through to a fake website run by hackers. When he entered his account information, he handed over the keys to his Gmail.
- Getty Images
Phishing is a hacking tactic that is actually older than computer-based hacking, and it involves simple social engineering.
Rather than trying to find holes in Podesta’s personal internet security, using programs that guess password strings, for instance, hackers simply put on a disguise and tried tricking him. This is often done by posing as a figure of authority or as an expert; in this case, the hackers posed as Gmail security (an expert) and had their disguise backed up by Clinton’s help-desk staffer.
Even worse for Podesta, the human safeguards around him – his chief of staff, Sara Latham, and help-desk staffer Charles Delavan – mistook the disguise for something legitimate. If this is indeed how it all went down, Delavan made a huge mistake.
There are two obvious red flags in the initial phishing email sent to Podesta:
First and foremost, you’re never going to get an email from Google with “googlemail” as part of the URL.
It seems legit, because if you go to www.GoogleMail.com, it redirects to Gmail. But Google doesn’t call it “Gmail” for nothing. A quick search of your own Gmail account for the string “googlemail” most likely won’t turn up any legitimate results from Google. That’s because it’s a fake address that’s close enough to be believable. Google does indeed own the URL, adding all the more creditiblity, but you’re unlikely to get an email from Google with “@googlemail.com” as the origin.
But that alone isn’t enough to deem this fake.
The big giveaway here is the password-change URL: a Bitly link. Google will never send you a Bitly link as an official link.
Bitly links are simplified versions of other links, like so:
- Here’s a Bitly link to my favorite RoboCop GIF: http://bit.ly/2f0JHCC. The full URL for that incredible GIF is: http://giphy.com/gifs/thank-you-robocop-for-your-cooperation-U8bDgsXcnIEFy
Get it? That means the Bitly link in the initial email sent to Podesta was actually hiding a URL – a fake site meant to look like Gmail’s account retrieval that actually served as a front for the hackers. Podesta entered his login and password and then entered a new one. Voila: The hackers now have both his old and new passwords, as entered by John Podesta.
(We obscured the Bitly link above in the email intentionally, as it still leads to a potentially malicious website.)
But, to be clear, clicking through that Bitly link should have been another huge red flag for Podesta; the URL shows up with a “.tk” ending, the top-level domain name for Tokelau (a territory of New Zealand). And wouldn’t you know it, Google – being one of the biggest internet companies in the world – has no problem locking down .com URLs.