Hillary Clinton’s 2016 campaign for President put email security on the forefront of the news for much of the year. In addition to the big story—the former Secretary of State’s insecure and unapproved email servers—the campaign’s chairman, John Podesta, was the victim of email hacking. As news outlets reported on the grievous cybercrime involving Podesta’s email account, the actual “how” usually was left to the imagination of an already bitter and divided public. With blame placed squarely on the shoulders of a powerful entity, we can only assume this hack took the combined intelligence of many to pull off, right?
Let’s dive deeper and see how the hacker obtained Podesta’s emails.
Are you ready?
It was a single email with an infected link.
That’s all, nothing more than that. Not quite the doomsday software one might think with the rhetoric used in the media. As you might imagine, if you are a user of email—and I’m guessing you are—you’re susceptible to this exact same attack.
How can you succeed where Podesta failed?
The email arrived from email@example.com. That email address looks legitimate at a glance. The scam email’s message simply informed that him that his email password had been compromised and that he needed to change it immediately, conveniently providing him a link.
To Podesta’s credit, he rightfully identified the email as possibly fishy and forwarded it to his I.T. team. This is a crucial first step. Why did he become suspicious?
3 clues to identifying potential scam emails
- Does the sending address look fishy? In this case, no, it does not. The googlemail.com domain is one Google uses legitimately. A malicious sender can always spoof the sending address, however, making the “from” address appear valid. You can’t rely just on the email address.
- What is the content of the email? If an email service provider suspects your account may have been compromised, you probably won’t receive a link to click to change your password. Instead, you’ll find instructions on actions to take after logging in to your account, allowing you to update your password yourself. Whenever a company asks that you make updates or verifications to your account—whether it’s an email account or a social media login or an online store—it is always good practice to open a new browser window and navigate to the page yourself.
- Can you tell where the email’s links are pointed? If the email directly asks for you to click a link, where is that link taking you? In Podesta’s case, the link looked similar to https://bit.ly/2iXYEF7. While the link here is harmless, you can immediately see that before clicking the link, you have no idea where it will take you. “Bit.ly” links are what are called URL shorteners. Some common shorteners you’ve probably seen are ly, goo.gl (Google’s own shortener), owl.ly, and tinyurl.com. If you cannot tell where a link will take you, never click it! Even still, the sender can type in one address and send you to another. To combat this, in most software, you are often able to hover your mouse over the link. Either the real address will be shown at the bottom of your browser or, if in Outlook, a tooltip will indicate where you will be taken. Try this on the links below to see how this can differ:
John Podesta thought the email looked fishy
Ultimately, the sender attempted to fool Podesta into thinking his email was compromised to create urgency. That urgency, in turn, would force a quick click of the provided “convenient” link. The link would then go to a page that looks like Google’s account management page, to suppress any suspicions. But if Podesta had keyed in his old and new passwords to update his account, he instead would have been sharing the passwords with the malicious third party. That spoof webpage would then change Podesta’s password directly within the valid email account as Podesta believes he’s doing—but now both Podesta and the third party have the new password.
I mentioned that Podesta reported this email to his I.T. department. So, what happened after this? The I.T. staff also concluded the email did not look legitimate. They recommended that he change his password anyway, to be sure, and sent Podesta a proper link to use instead of the masked bit.ly link. (This is not a bad recommendation; whenever there’s any chance your account information has been compromised, it’s a good time to create a new, secure password.)
Wait—if Podesta caught the malicious email, how did he get hacked?
Up to this point in the story, everything seems to have gone right. Podesta was vigilant. His I.T. team confirmed his skepticism of the malicious email. Podesta followed the good practice to update his password following the scare (even though it appears his account apparently had not been accessed).
Ultimately, a failure of communication occurred. The new link (sent by Podesta’s I.T. department) either did not make it to him or it was not clearly instructed which link to use. Podesta followed instructions to reset his password but unfortunately used the original, malicious bit.ly link to do so. An unauthorized party gained access to his email—and that’s where the news outlets picked up on the story, with Podesta’s emails compromised and distributed through Wikileaks.
What could have prevented the Podesta email hacking?
Podesta and his I.T. staff missed one crucial step in the process of dealing with potentially harmful emails: They should have deleted the email as soon as they suspected it was malicious.
A single email and human error was all it took to kick off a firestorm of media coverage, government sanctions, and enough finger pointing to last us a lifetime. It wasn’t a grand intelligence with custom software that masterminded this hack, it was one of the easiest and most effective methods known, using what everyone already has on their computers.