IT-Seal Logo Social Engineering Analysis LabsIT-Seal Logo Social Engineering Analysis Labs

The Clinton Hack - Why every employee should be able to recognize phishing e-mails

Die Zukunft der Informationssicherheit
liegt nun in ihren Händen. Endlich.

Author: David Kelm, 30. December 2016
Reading time: 4 minutes

The election campaign in the US in 2016 was truly a special one: besides the unexpected outcome, various parties for the first time used new technologies combined with social engineering methods to influence voters.

Barack Obama was already using social networks such as Facebook very successfully in 2008 and 2012, but the newly elected president Donald Trump set new standards when he used social networks to influence voters with micro-targeting. It is, of course, controversial and difficult to quantify how much influence this approach actually had on the election outcome. Nor is it possible to quantify the influence on the outcome of the election of the WikiLeaks publications by the campaign manager of Hillary Clinton and the Democratic National Committee (D. N. C.). However, it is obvious that the insight into these political backgrounds has helped to further strengthen the citizens feeling of being cheated by the political elite.

These publications have an intriguing history: as early as September 2015, the FBI already had some indications that at least one of the D. N. C.'s computers had been compromised by a team of hackers who have been linked to the Russian government. The D. N. C. help desk employee suspected a "prank call" behind the FBI's call and paid little attention to the incident. Thus, the attackers were able to stay on the D. N. C. network for seven months before concrete action was taken to protect them.

Hillary Clinton Phishing Gmail Password Change

Meanwhile, another team of hackers began to attack journalists and politicians from different parties. For this purpose, they sent a Spear Phishing e-mail with a warning from Google: "Someone just used your password to try to sign into your Google account." The message mentioned a login attempt from Ukraine: "Google stopped this sign-in attempt. You should change your password immediately." An employee of the Clinton campaign clicked directly on the link and gave the hackers access to his e-mails. However, an assistant to the chief campaign manager suspected the fraud and asked an IT employee for help. He answered "This is a legitimate email. John needs to change his password immediately." – a momentous mistake. Admittedly, the link was difficult to expose at first glance as a phishing attempt:

http://myaccount.google.com-securitysettingpage.ml/security/
signinoptions/password?e=[...]

Hidden behind this link is a redirection via the URL-Shortener service tiny. cc (tiny. cc/g8nmhy). In the present case, the victims were lured to a fake site. By means of a cloned Google login page, which could only be distinguished from the real one by the URL (com-securitysettingpage.ml), the login data was obtained.

In addition, the attackers also gained access to accounts of the D. N. C. and to the main D. N. C. network through a VPN. They were able to divert further information and data without hindrance – but the actual extent of the data flow is not conclusively known. Only the politically useful e-mails of the D. N. C. and the Clinton campaign, as well as some other data from the Clinton Foundation have been published so far.

And the moral of the story: Whoever has so much to lose, should better protect themselves thoroughly

At this time of the year, we listen to the morale of stories all over the world: if the Clinton campaign staff had been better informed, trained and protected from the threat of phishing attacks, chances are that the hackers would have been fended off. There would not have been any infections or leaks, the public would not have been able to get a deep insight into the Democratic party's political customs, and Clinton would have done better in the election.
But it didn't happen that way – the world was informed, Trump won. We can only learn our own lessons: for example, to carry out preventive anti-phishing measures such as social hacking security trainings and risk analyses.

Was zeichnet uns aus:

Umfassende & standardisierte Analyse
Identifizierung & Quantifizierung 
der Sicherheitsprobleme
Made in Security Valley Darmstadt
Wissenschaftlich validiertes Konzept

Keep in touch:
Subscribe to our social media channels