Hackers infiltrated Gmail accounts of the DNC and the Clinton Campaign Pointing to a Pervasive Weakness of Cloud-based Email
NEW YORK, August 1, 2016
According to various national news sources, the Democratic National Committee (DNC) and Hillary Clinton campaign’s Gmail accounts were recently hacked. The resulting breaches enabled unauthorized access to sensitive information such as campaign donor names, internal memos and more.
Information publicly available from bitly.com reveals that 108 email addresses from the hillaryclinton.com domain were attacked with a spear-phishing link, and from those 20 users actually clicked the link. Once clicked, users were redirected to a fake Gmail login page and as they login the hackers were able to harvest their account credentials and gain access to their account. Among the 20 users that followed the link are a National Political Director, Financial Director and more (Source: https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign).
One might assume that to attack such a high-profile organization, hackers would have to utilize a sophisticated method or find a zero-day vulnerability. However, the simplicity and relative ease of this attack on the Hillary Clinton campaign is really quite striking— and highlights a pervasive problem with cloud-based email security.
To execute an attack like this, a hacker would simply need to:
- Find out that the Clinton campaign is using Google-hosted email (Publicly available)
- Guess the email addresses of leading campaign members based on their names (Publicly available)
- Send them an email with a from name of someone they know and a link to 'a document' that leads to a fake Google login
- Have users try to log into the fake Google portal with their real Google credentials, thus revealing their credentials to the hackers
- Harvest the users’ Google credentials from the login attempts…and now the account is hacked!
We demonstrated in this video, and describe preventative measures when using cloud-based email.
Is it Google's fault? Could it have been any mail server? The reality is that attacking a cloud-based mail server such as Gmail or Office 365 is easier today, mostly because when mail servers were in the data centers and end users were sitting behind firewalls, there was a stack of security layers to protect them from such attacks.
Here are some of the layers that existed and were missing or failed to detect the spear-phishing email in this attack:
- Anti-phishing – Google has some native phishing detection but obviously not best of breed
- Web filtering – Nothing to block access to suspicious links and verify URL authenticity
- More secure login to email accounts – Google has some layers but does not enforce stronger login or multi-factor authentication when suspicious activity is detected
The Gmail user agreement makes it very clear that the security of its service is provided “as is” in practical terms, leaving the ultimate responsibility on the customer. The core issue is that the IT team that put together the Google-hosted mail server for the DNC may have assumed that Google would “take care of them.” They clearly did not add the critical layers of security necessary to prevent this type of common attack.
The problem is not unique to the Clinton team – most IT security professionals still lack knowledge on how to secure SaaS email. It is also not unique to Google. In late June 2016, Avanan published a blog on a massive attack against Microsoft's Office 365 users that, though very different in its target and details, leveraged the same problem – missing security layers in cloud-based Microsoft Office 365 (http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-day-ransomware-virus).
This is the gap that the Avanan Cloud Security Platform solves. We did not reinvent security; we just made it very simple to add these security layers to services like Gmail and Office 365. As a lot of the required security technologies are already available from best-of-breed vendors, Avanan merely “cloudified” the technologies of all leading vendors. Now, with literally the click of a button, our customers can implement these solutions on Gmail, Office 365 or any other SaaS.
To learn more about the Clinton/DNC Gmail Attack, watch the August 9th Webinar: