HR Jetpack

Political Phishing

This video is premium content

Register or sign in to gain access.

Lesson:

Political Phishing

Lesson Content

Some of the biggest technology stories of 2016 were the cyberattacks on the Clinton Campaign. In one of those cases, Hillary Clinton’s Campaign Chief, John Podesta, fell victim to a phishing attack which not only compromised the campaign and the DNC, but also his entire online life. This story is essentially a lesson in “what not to do” on multiple levels of online security.

This all started because John Podesta received a phishing email. It appeared to be from Google, telling him that his account had been compromised and he should change his password immediately. He was rightly suspicious and had doubts over the authenticity of the email, so he sent it to the Clinton Campaign Helpdesk’s IT Manager. The phishing email was convincing enough that his IT person told him that the email was legitimate. Despite that failure, he followed that statement with the correct advice. He told Podesta to go through Google’s website directly to change his password and reminded Podesta to turn on Two Factor Authentication if he had not yet done so. Instead of properly following the advice, Podesta clicked on the URL he had been sent in the original email which took him to the dummy Google page, and once he entered his login details, the attackers had his credentials. Also, as you may have guessed, Podesta never enabled two factor authentication. Had he taken just that one additional step, his username and password would not have been enough for the attackers to gain entry to his email and this entire story may never have happened.

Unfortunately, this all gets worse. Because the attackers leaked tens of thousands of his work and personal email going back many years, which were now accessible to the public via Wikileaks. As the public started to read through these emails, they came across an exchange between Podesta and a colleague from May of 2015 where Podesta asked that person to send him his password to iCloud for his Apple ID. Over email, the person responded with his password, which was “Runner4567”. From May of 2015 to October 2016 when the emails surfaced online, he apparently never changed that password. Shortly after these emails became public on Wikileaks, screenshots of the email, including Podesta’s Apple ID credentials, appeared on 4chan and Reddit. So people started to try the username and password combination they saw online, and it still worked. Pranksters were able to access his iCloud and wipe his iPhone and iPad remotely. They also allegedly used the same exact password on his Twitter account and were able to access that as well, defacing it with Pro-Trump messages to publicly humiliate him and force the DNC to publicly acknowledge that his accounts had been breached.

So just to really drill down to all of the places where this story goes wrong:

On a personal level, he had a very weak password which he used on multiple accounts. He couldn’t remember this weak password, so he had someone email it to him. For more than a year, that password did not change, and even when he saw his emails had been leaked and there was a media firestorm surrounding the story, he still didn’t go in and update his passwords. Beyond the password issue, he ignored the directive from IT to enable two factor authentication.

On an organizational level, the IT support staff certainly made mistakes as well. They didn’t have sufficient protections in place, and incorrectly identified the phishing email as safe. Having said that, their advice of what to do regarding the incident was correct, and ultimately not followed by the individual. A reminder to all of us that there is only so much the organization can do to protect their employees if those employees are not adequately trained and on-board with the company’s expectations.

In many ways, this story is a worst-case scenario for what can happen with lax security measures and poor judgment in today’s world. If he had been following even some of the best practices outlined in this course, John Podesta probably would have avoided a personal and professional disaster.

Michael Wilson

Instructor:

Michael Wilson

Michael Wilson works with small businesses to build and protect their brands online. He is an IT Generalist whose primary services include: Web Design & Development, Cybersecurity Consulting & Training,...

Michael's Full Bio