Are You Vulnerable to This Hacking Attack?
By Dominic Fahey
Can you spot the imposter? Don’t feel bad if you cannot, many Democratic National Committee (DNC) employees couldn’t either.
Whether you believe the Democratic National Committee (DNC) was hacked by Russians or a four-hundred pound guy from New Jersey, there is little dispute in the Information Security community on the methodology used. The cybercriminals did not discover a previously unknown flaw in the Microsoft Windows operating system; they exploited the weakest link in the cybersecurity chain – the person behind the keyboard. In a modern twist on a classic confidence scam, hackers were able to fool DNC employees to hand over the keys to the digital kingdom – their passwords.
The cybercriminals sent phishing emails to thousands of DNC employees purporting to be from their email service provider, Google, claiming that the employee’s email had been compromised and that they should reset his/her password. When an unsuspecting DNC employee is conned into believing his email has been compromised, he clicks on the link in the email and is sent to a website that appears to be Google but is actually controlled by the criminals. The counterfeit email and websites were very good forgeries. As with many things digital, it is not difficult to produce an exact copy of Google’s logo, font and password reset webpage.
Google’s standard sign-in page is located at https://accounts.google.com. In this case, the hacker registered a similarly spelled domain – https://accounts-google.com. (Figure 2) Notice the subtle difference in the ‘.’ and ‘-’ after ‘https://accounts’. This minor change makes all the difference in cyberspace. Also, note the hacker’s use of the encrypted hypertext transfer protocol (HTTPS). HTTPS is a standard on the Internet to encrypt communication between parties like banks, retailers and their customers. The problem is that, while the communication between a server and the web browser may be encrypted, HTTPS does not ensure the veracity of the identity of the server. That is to say, just because the server appears to be related to Google, HTTPS does not ensure that it is.
Furthering the con, the mark’s email address is prepopulated in the email address field on the spoofed password reset page. Upon entering his password and clicking reset, the mark is redirected to the actual Google password reset page none the wiser that his password was stored by the hacker in the background.
With a DNC employee’s username and password, the hackers were able to download every email ever sent or received by the individual. Unfortunately, it appears a number of DNC employees fell prey to this scam.
Other People’s Money
Real estate industry participants including settlement service providers, attorneys, real estate agents, homebuyers and sellers are vulnerable to similar attacks. Hackers have discovered that once they get access to real estate industry members’ email credentials, they may be successful in convincing real estate transaction parties to divert funds sent via the US Federal Reserve Banks’ Fedwire (AKA wire transfer) system with forged wire instructions.
Sadly, Information Security experts warned of this exact phishing attack against Google users as early as 2014. Had the DNC read Symantec’s warning, they may have taken steps to protect their employees.
Practically any unsuspecting email user could become a victim of a similar phishing technique. Google is not particularly vulnerable, this could happen to the likes of Microsoft, Apple, AOL or Comcast users. Below are some steps you can take to prevent:
- Train your associates to have healthy skepticism regarding any incoming emails, especially those with shortened URLs/links or a call to action to type in a username and/or password.
- Enable two-factor authentication (2FA) on every account that offers it.
- Never re-use passwords between sites, especially sites with confidential information like your email or financial service providers.
URL/Link shortening services came into existence in the early 2000’s to make it easier for people to deal with long links on the WWW such as https://www.njlta.org/wp-content/uploads/2017/03/78584-Advocate_Spring_Digital2017.pdf. One such popular service is Bitly. When clicking on a registered link, such as https://bit.ly/2ppAFV7, users are redirected to the last copy of the New Jersey Land Title Association's Advocate. While shortened links have advantages, they can also be used by fraudsters to hide attacks. For example, a user cannot easily determine if the shortened link will redirect them to the official Google website or the imposter; such was the case in the DNC email hack.
Single-factor authentication grants access based on a password alone. If your password is stolen, a fraudster could be granted access. Verizon’s 2016 Data Breach Investigations Report found that “sixty-three percent (63%) of confirmed data breaches involve using weak, default or stolen passwords.” Two-factor authentication (2FA) gives an extra layer of security by requiring a second mechanism to prove identity in addition to a password. This second factor could be a number sent to your cell phone or a generated on a hardware token or an app on your mobile device.
You may be utilizing 2FA in your everyday life and not realize it. That PIN number you use with your debit or ATM card, or that RSA SecurID hardware token you utilize to sign into your banking website – both are examples of two factors for authentication.
Security experts recommend enabling 2FA on all services that offer it. Many online providers including Google, Apple, Microsoft and Yahoo offer 2FA. Had the DNC enabled 2FA on their Google email service, it is possible that WikiLeaks would not have had anything to publish. For more information, on enabling 2FA on your accounts, check out the site https://www.turnon2fa.com/.
Did you ever register for a Myspace account? Did you happen to use your “regular password” and have long since forgotten about the site? Well your password reuse may come back to haunt you. In 2016, over 300 million usernames and passwords for Myspace were discovered on a hacker forum. It would not be difficult for hackers to test those usernames and password combinations with the popular providers like Google, Apple and Microsoft to see if any are successful.
If remembering complex and unique passwords for every site is the last thing you want to do, take a look at a password manager such as Dashlane or LastPass. But if you do, be sure to enable 2FA on that password manager otherwise your emails could end up as fodder for WikiLeaks or even worse, involved in wire fraud.
Dominic Fahey, senior vice president of strategy & corporate development for North American Title Group, is a Bruce Springsteen fan who does title insurance, in that order. He can be reached at email@example.com.