As reported by Motherboard, the Russian hacking group Fancy Bear was responsible for the hacks on John Podesta, Colin Powell and the Democratic National Committee (DNC). SecureWorks, an enterprise security company, tracked Fancy Bear's command and control servers and uncovered who Fancy Bear targeted and how they were able to hack Podesta's Gmail account. They identified approximately 3,900 targeted individuals in government, the military, people who worked for companies in military and government supply chains, journalists, people who worked for the DNC and member's of Hillary Clinton's campaign organization like Podesta. Fancy Bear used a spear-phishing campaign to attack their victims.
Phishing, spear phishing and the Podesta hack
Phishing scams try to trick people into giving up information like passwords, or bank account and credit card numbers through emails that falsely claim to be from a "trusted" source. An early example of phishing is the notorious Nigerian bank scam in which an email promised to gift you with a lot of money if you would give up your banking information in order to help someone move money out of Nigeria. Phishing attacks are usually sent to large numbers of random email addresses.
Spear-phishing is a more sophisticated form of phishing that targets individuals using personally relevant information. The spear-phasing email purports to come from a friend, a company you do business with such as your bank, or an internet company you use like Google. The email will usually "inform" you that there is some problem or issue that you need to clear up.
The email will also contain either a link or an attachment that allows the hacker access to your accounts. Opening the attachment will typically deploy an exploit kit on your computer. Clicking the link will take you to a webpage that spoofs the website of the company you think you're dealing with. The phony webpage will ask for the information the hacker is trying to steal.
Nowadays most people reject simple phishing attacks as spam. Spear phishing is much more successful. The security company FireEye reports that 70% of spear-phishing emails are opened by the recipient and 50% of the opened emails result in the target clicking the link or opening the attachment. John Podesta was one of the people who clicked the link
Email received by William Rinehart, a staffer with Hillary Clinton’s presidential campaign that is... [+]
The Podesta spear-phishing hack was instigated with an email that purported to come from Google informing him that someone had used his password to try to access his Google account. It included a link to a spoofed Google webpage that asked him to change his password because his current password had been stolen. The link to the spoofed webpage included a long chain of seemingly random alphanumeric characters that looks like gobbledygook to most people. In fact the gobbledygook contained a Bitly encoded string containing Podesta's name and email address that was inserted into the spoofed webpage to make it look authentic.
Podesta clicked the link and changed his password. Or so he thought. Instead, he gave his Google password to Fancy Bear and his emails began appearing on WikiLeaks in early October.
How to protect yourself from spear phishing
Spear phishing is successful because it targets people using information that is personally meaningful. For example, I priced Sony's new FDR-X3000 action camera on several websites recently. A few days later I received an email telling me that the bonus items that came with the digital camera I had purchased on Amazon could be claimed at the website linked in the email. This particular phishing attack was well targeted because Amazon was one of the websites I checked for prices. It was fairly lame because I didn't buy a camera from Amazon or anyone else.
I didn't click the link to the spoofed website but I did what everyone should do when they get a suspicious email. Don't go to the url contained in the suspicious link but go directly to the websites that the email is spoofing. In my case I went to Amazon and checked to see if a camera had been ordered on my account. It hadn't. I also checked my bank and credit card accounts to see if I had been charged for the purchase of a camera. I hadn't. Another spear-phishing attack avoided.
Spear-phishing attacks like the one Podesta received are more dangerous than the lame one I got because there is nothing in the email he received that would alert the unwary that the email is a fraud. You would be foolish to ignore an email that you think is from Google telling you that someone has your Google password. The way to handle this is to go directly to Google and change your password. Do not change your password by clicking the link in the email you received.
Be suspicious. The legitimate businesses you deal with won't email you asking for passwords, account numbers or credit card information. If you get an email asking for any of these things from a business or a friend, contact them directly and ask if they sent you the email.
Passwords are a favorite target of spear phishers and despite your best efforts, you may make a mistake and give them one of yours. Make it hard for them to do anything with it. Use different passwords for all of your accounts and make sure they are sufficiently different that the hacker can't use one of your passwords to figure out others that are similar. Random alphanumeric strings are best but they're also difficult to keep track of and remember. The best solution is a password manager like Dashlane or LastPass.
Finally, use high-quality internet security software and make sure you keep it updated.
Spear phishing isn't going away anytime soon because it works. Fancy Bear may not be targeting you with spear-phishing attacks but somebody is. Be aware, take care, and don't be John Podesta.
