Phishing in the White House
A group of Gizmodo journalists came up with the seemingly crazy, and without doubt, dangerous idea, albeit one I have the impression could become relatively common in other contexts: launching a phishing attack on fifteen people from Donald Trump’s personal team in the White House.
Phishing is one of the most common mechanisms used to steal information on the internet: an email is sent from a simulated account likely to be trusted, asking the recipient to click on a link that opens a fake page where the password and user name to a particular service can be logged. At the beginning of May, a very sophisticated and convincing phishing scheme purportedly an invitation to a Google Document led several thousand users to give their Google username and passwords, providing access to their contacts and thus extend the attack further. Statistics from 2016 show that 85% of companies have been subject to phishing attacks and that about one-third of phishing messages are opened by the recipient.
The Gizmodo attack used a well-known method discussed widely in the wake of the Google episode, a security test to check out how tech-savvy the Trump team is: it has been labeled by many as profoundly ignorant in this regard. Mails were sent to 15 members of the presidential team from simulated e-mail addresses without even bothering to hide the real address using names of trusted contacts, such as another member of the team, an acquaintance or a partner. This was an attack with a specific objective, beyond the usual random choice of address.
Of the 15 recipients of the Gizmodo mail, seven completely ignored the message, but another eight accessed the requested page within 10 minutes of receiving it, which suggests they did not consult a security expert or member of the technology team before doing so. Two people also answered the e-mail thinking that the fake identity was real, at which point Gizmodo decided stop (instead of continuing with a second e-mail).
Gizmodo says none of the recipients entered their username and password on the fake page, and it is unknown how many of them were 2-step verification enabled, which increases security by requiring a number be sent to a device or through additional authentication by fingerprint (I’ve been using this for a long time, and it is very recommendable and not at all cumbersome to set up and use). The idea was to test and document how careful Trump’s team is, but presumably go no further.
Some people have argued that Gizmodo’s actions could lead to a complaint of violation of the Computer Fraud and Abuse Act (CFAA), although the publication states that to avoid this accusation, the experiment was done in a way that would not have allowed it to know the password that was used, but simply to verify that it had been entered. For the moment, the White House has not filed any complaint.
What would happen to your company if such an e-mail were sent from an account simulating that of a colleague or family member? How many of us would fall for it and supply our username and password? Could this type of test become a way of assessing organizations’ safety culture? Should we consider using these types of routine tests in our companies as a means of detecting vulnerabilities or educating the workforce in cybersecurity?
There is an important question here: computer security is still regarded by many people as a topic for the experts, and that this excuses them if they breach security. It still seems relatively acceptable for work colleagues to give their passwords to each other or to have them stuck on a post-it on the computer screen.
When will issues such as responding to a phishing e-mail cease to be seen as something excusable and instead regarded as recklessness and irresponsible, akin to leaving keys in a lock, and subject to disciplinary action? In the United States, a security issue such as using a personal email account to address state issues was seized on by Donald Trump to attack his opponent, Hillary Clinton, throughout the campaign. One can only wonder how many other top political teams around the world would take the bait…
(En español, aquí)