How hackers broke into John Podesta, DNC Gmail accounts

Who hacked the Democratic National Committee (DNC)? The finger of blame has been pointed at, among others, Russia, with allegations being made with a varying degree of heat and conviction but – so far – without much evidence. However, evidence now is emerging – in the form of URLs shortened by the Bit.ly service.

Following the DNC attack, SecureWorks, a security firm that’s been tracking the hacking group Fancy Bear for the past year, published a report about the Russian group’s use of Bitly links in spearphishing campaigns. Fancy Bear’s tactic was to redirect victims to a URL made to look like a legitimate Gmail login page but which was actually a grab for victims’ account credentials.

As Motherboard tells it, SecureWorks had been tracking known Fancy Bear command and control domains, one of which led to a Bit.ly link, which then led to a Bit.ly account controlled by Fancy Bear.

That, in turn, led to thousands of Bit.ly URLs that ultimately linked to thousands of attacks. Specifically, between October last year and May this year, 8,909 Bit.ly links targeted 3,907 individual Gmail accounts as well as accounts at organizations that used Gmail as a service.

According to SecureWorks, Fancy Bear was using 213 short links targeting 108 email addresses just on the hillaryclinton.com domain alone.

Tom Finney of SecureWorks told Motherboard that the Bit.ly spearphishing links allowed “third parties to see their entire campaign including all their targets – something you’d want to keep secret”.

It’s not just the DNC that Fancy Bear has targeted. As well as the John Podesta attack and earlier ones against the likes of Colin Powell, Fancy Bear has also gone after the German parliament, the Italian military and the Saudi foreign ministry.

Using a short URL to target individuals and their logins is a surprisingly effective tactic – and neither Bit.ly nor any other shortening service is to blame. The service itself remains secure, but the short URLs can mask potentially nefarious HTML code behind their innocent-looking strings.

Here’s how it can go: a target gets a “security alert” from what looks like Google. “Someone has your password,” it says at the top, in a do-not-ignore-this red banner warning that someone has just tried to sign into your Google account.

The message provides realistic-looking details: the date the password was used, the IP address of the supposed culprit and a source location from which your account was accessed.

“Google stopped this sign-in attempt,” it reassures you, “but you should change your password.” Of course, there’s a button to do just that. “Change password,” the text reads, over a reassuring safety-blue background.

Would you click? If so, take heart: you’re not alone: this is the tactic that Fancy Bear used to steal the credentials of DNC workers.

You might be familiar with some of those tips, such as hovering over a URL to see where it intends to take you. Screenshots of the Bit.ly link used against Podesta show that even the links hiding behind the Bitly links can be made to look, to an untrained eye, like they’re legitimate. And it seems it’s this tactic that led to the account of John Podesta, chairman of Hillary Clinton’s campaign, being hacked.

How do you protect yourself from spearphishing attempts that use such carefully crafted, well-disguised URLs – URLs that not only hide behind shortened URLs but which mask themselves with convincing code?

Peter Mackenzie of Sophos recently shared an extremely detailed list of tips after his solicitor’s email account was breached via this kind of attack, and it’s worth having another look at those.

Most specific to the case of fending off spearphishing attacks coming from expert hackers like the Fancy Bear group that’s targeting political figures and organizations, I think, are these tips: