DNC chief Podesta led to phishing link ‘thanks to a typo’

Who hacked Clinton campaign chairman John Podesta?

…and the Democratic National Committee (DNC)?

…and the US election?

Back in July, security firm SecureWorks pointed the finger at Russia: over the course of the past year, it’s been tracking the Russian hacking group Fancy Bear and its spearphishing attacks, launched with shortened Bit.ly URLs to trick victims into giving over their Gmail credentials to fake login pages.

Over the past few months, the Feds have come to agree. In October, officials formally identified the Russian government as the source of intrusions into DNC systems. Those intrusions set off a political firestorm after a trove containing 10 years’ worth of Hillary Clinton’s emails were leaked and published on WikiLeaks.

How could John Podesta and others have fallen for the phish?

Earlier this week, in an in-depth report on Russian cyberattacks, the New York Times revealed how Podesta’s credentials were given up because of the simplest of errors: a mere two missing letters: he was caught out by a typo.

Not his typo, mind you. Rather, an aide forwarded a phishing email sent to Podesta, sending it to the campaign’s IT staff to ask if the notice was for real. The email, purportedly from Google, said that hackers had tried to infiltrate Podesta’s Gmail account.

Clinton campaign aide Charles Delavan replied that yes, the message was “a legitimate e-mail” and that Podesta should “change his password immediately”.

There were two missing letters – “i” and “l” – that should have preceded the word “legitimate”.

As Delavan told the NYT, he knew the email was a phishing attack, given that the Clinton campaign was getting a steady stream of them. He meant to reply that the email was “illegitimate”.

What he should have told the aide was that the password should be changed immediately, directly through Google’s site and not by clicking on the link in the phishing email.

But instead, he inadvertently told the aide to click on the phishing link, and that’s how the attackers got Podesta’s Gmail login, enabling them to get into Podesta’s account and to about 60,000 emails stored therein.

The simple error has tormented him ever since, Delavan told the newspaper.

In October, SecureWorks identified a Bit.ly account and the WikiLeaks-released email that appeared to have been used to attack Podesta’s account.

Using a short URL to target individuals and their logins is a surprisingly effective tactic, and neither Bit.ly nor any other shortening service is to blame. The service itself remains secure, but the short URLs can mask potentially nefarious HTML code behind their innocent-looking strings.

Here’s how it can go: a target gets a “security alert” from what looks like Google. “Someone has your password,” it says at the top, in a do-not-ignore-this red banner warning that someone has just tried to sign into your Google account.

The message provides realistic-looking details: the date the password was used, the IP address of the supposed culprit and a source location from which your account was accessed.

“Google stopped this sign-in attempt,” it informs you, “but you should change your password.” Of course, there’s a button to do just that. “Change password,” the text reads, over a reassuring safety-blue background.

How can you protect yourself from falling for such carefully crafted, well-disguised attacks? As it is, screenshots of the Bit.ly link used against Podesta show that even the links hiding behind the Bitly links can be made to look, to an untrained eye, like they’re legitimate.

You can pick proper passwords, for one thing. Even though strong passwords don’t help if you’re phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.

Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.

Consider using Sophos Home. The free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.

OK, all well and good.

But how do you stop yourself from making typos? Particularly typos that can lead to the crippling of security at a major political party? Unfortunately, there’s no such thing as anti-typo-ware, at least not that we’ve heard of. Spellcheck will probably pick up actual spelling errors, but it can’t save you from typing the wrong word.

The only tool we’ve got to avoid an error like this – not to rub it in, Mr Delavan – is plain old proofreading.