The Democratic National Committee (DNC), on Wednesday: We’ve been spearphished! The committee called the FBI about what it said was a fake login page designed to intercept usernames and passwords that would get attackers into the party’s voter database.
The DNC, early on Thursday morning: False alarm! It was a test, but we don’t know who’s behind it.
Here’s the statement from DNC chief security officer Bob Lord:
Here's the full statement from the DNC's chief security officer Bob Lord pic.twitter.com/xTdog0BGyo— Donie O'Sullivan (@donie) August 23, 2018
We have continued to investigate the phishing site reported to the DNC yesterday. We, along with the partners who reported the site, now believe it was built by a third party as part of a simulated phishing test on VoteBuilder. The test, which mimicked several attributes of actual attacks on the Democratic party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors.
The DNC’s voter database contains information on tens of millions of voters. Alarm bells went off when the committee was notified that a fake login page had been created. The DNC initially said that it quickly thwarted the attack by suspending the attacker’s account and that no information was compromised.
But as of Thursday morning, the mystery cleared up. It turns out that what looked like an attempted attack was actually a test from within: specifically, as the Washington Post reported, the Michigan Democratic Party.
The state party officials had invited a group of volunteer white-hat hackers – DigiDems – to conduct penetration testing on the voter database. Unfortunately, they did so without letting the DNC know what it was up to.
As unnerving as the unauthorized (at least, not by the nation-level DNC) test was, the silver lining was that the “spearphishing” attack was spotted and shut down. In other words, the DNC’s cyber security defenses passed the test.
The cybersecurity firm Lookout was the first to have spotted the phishing attempt, the Post reports. Lookout vice president Mike Murray had this to say about the test:
The thing about “false alarms” is that you don’t know that they’re false until you’ve showed up to investigate. All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible. https://t.co/Y9zbX1VdrJ— Mike Murray (@mmurray) August 23, 2018
The thing about “false alarms” is that you don’t know that they’re false until you’ve showed up to investigate. All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.
Lord replied by thanking everybody who worked “round the clock” with him to respond to the perceived threat:
I appreciate various parts of the security ecosystem coming together quickly to tackle this matter. Lots of super dedicated pros like @mmurray and @TheCustos and their teams who reached out to us and worked round the clock with me! https://t.co/94xNvcu2vP— Bob Lord (@boblord) August 23, 2018
The positive result of the unauthorized test is a testament to the DNC having likely learned a thing or two after campaign manager John Podesta’s credentials got phished out of him by a malicious email purporting to be a Google security notice in 2016.
Although this incident had a happy ending, it doesn’t mean that true election meddling attacks aren’t coming in thick and fast.
On Monday night, Microsoft’s Digital Crimes Unit (DCU) reported that it took control of six internet domains that were about to be used by the Russian Fancy Bear hacking group – also known as APT28 – to spoof US political organizations.
They included two domains that were passing themselves off as US think tanks – the International Republican Institute and the Hudson Institute – plus three that appeared to be about to target services connected to the US Senate.
Christopher Scott, chief technology officer and remediation lead for IBM’s X-Force IRIS, which conducts incident response and threat intelligence, told the Post that it’s no skin off hackers’ backs if one spearphishing attempt fails. After all, it doesn’t cost anything to keep throwing attempts at a target until the attacker hits pay dirt:
You’re just trying to get one person to click. If I get one person to click and enter credentials, I’ve gotten the capability – and I can throw thousands of messages out to a company.
Scott says that to fend off attacks, you’ve got to get people to keep up their guards:
When we get a message, we want to see what it’s about. We don’t pause and say, ‘Is this suspicious?’ [It’s important for organizations to teach users] to ask the question of your security teams, ‘Hey this looks suspicious, can you check it out for me?’
Here are more tips to help you recognize, and steer clear of, phishing links.