Phishing 101

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication.
Wikipedia

Recently, it has become common for attackers looking to gain access to email and iCloud accounts to use targeted “spear-phishing” operations. Recent high profile victims of these attacks include:

  • Colin Powell
  • John Podesta, Campaign Chief for Hillary Clinton
  • Celebrities, including Jennifer Lawrence and Rihanna among others whose nude photos were released online last year.

Collins apparently accessed at least 50 iCloud accounts and 72 Gmail accounts and stole information from more than 600 victims, not all of whom were celebrities.
Ars Technica

The attackers sent these people emails, which appear to be legitimate, however they contain URLs which, when clicked, bring the user to a believable (but fake) login or password reset screen, allowing the hackers to capture the real login information of the desired account holders.

Just to be clear, this isn’t a hack of of Apple, Google, or other services. Phishing is a form of social engineering where the victim is tricked into willingly handing over their personal information.

The Case of John Podesta

I’ve written about the consequences of John Podesta’s email breach already, but I want to explain just how the Russian hacker collective “Fancy Bear” got into his emails in the first place. It offers a lesson in “what not to do” when you get something suspicious.

On Wikileaks you can read the full email exchange between Clinton Campaign officials and their IT Helpdesk Manager. I have summarized the chain of events below:

  1. Receives Phishing Email: He received an email from (what appeared to be) Google, telling him that his account has been compromised and that he should change his password immediately.
  2. Suspicions: He had doubts over the authenticity of the email, so he sent it to the Clinton Campaign Helpdesk’s IT Manager, Charles Delavan.
  3. All Clear: Delavan told him that the email was legit and that he should go through Google’s website to change his password. He even offered the link to that page on Google’s site. He also reminded Podesta to turn on Two Factor Authentication if he had not yet done so.
  4. Taking the Bait: Instead of going to the legitimate URL that his IT guy suggested, Podesta followed the compromised Bit.ly URL from the original email he had been sent, giving over his account information to the Russian attackers.

This is a wonderful example because it shows there were moments throughout the scenario where things could have gone right:

  • Podesta was concerned that this email might not be real.
  • Though the the email was incorrectly identified as legitimate, the advice that Clinton Campaign Helpdesk’s Charles Delavan gave for moving forward was correct. He offered the proper URL to Google’s account tools to reset the password and advised that Two Factor Authentication be turned on immediately to protect the account from potential attackers.

Had Podesta simply gone directly to Google, instead of clicking the Bit.ly link from the original email, this leak would not have happened. Furthermore, if he had Two Factor Authentication enabled, his stolen password still would not have been enough for attackers to access his account.

It is entirely possible that Hillary Clinton will lose a Presidential election due, in part, to the fallout from the release of tens of thousands of emails showing the inner workings of her organization. A situation which could have been entirely avoided if her Campaign Chief had simply turned on Two Factor Authentication in GMail.

URL Shortening

URL shortening services are everywhere these days. Bit.ly is popular, but virtually all social media sites now use their own in-house method for reducing the character length of links. The problem is that attackers use these services to disguise the destination they are sending a particular victim to. The URLs sent to John Podesta and Colin Powell in particular were designed to attack them specifically.

That link is only one of almost 9,000 links Fancy Bear used to target almost 4,000 individuals from October 2015 to May 2016. Each one of these URLs contained the email and name of the actual target.
Motherboard

Tips for Avoiding Phishing Attempts

Spear-phishing emails work because they’re believable. People open 3% of their spam and 70% of spear-phishing attempts. And 50% of those who open the spear-phishing emails click on the links within the email—compared to 5% for mass mailings—and they click on those links within an hour of receipt. A campaign of 10 emails has a 90% chance of snaring its target.
FireEye

  • Look Before You Click: When you hover your mouse over a button or text link, the URL’s destination will appear in the bottom left of most browsers. If you can’t make sense of where that link is about to take you, then just don’t click on it. The most important factor is to check is the domain to make sure it is properly spelled (hackers often use domains which are close to, but not quite, the real deal.)
  • Don’t Take the Bait: If a service emails you with concerns about your account, go through their website directly. You don’t need to become an expert in reading URLs if you just avoid taking them in the first place.
  • Enable Two Factor Authentication: There is no better way to protect your accounts. You can follow my getting started guide here. Even if you do fall for a phishing scheme, the attackers will only have part of what they need and they won’t be able to access your account without also compromising your phone, which is rare.