Who hacked the Democratic National Committee (DNC)? The finger of blame has been pointed at, among others, Russia, with allegations being made with a varying degree of heat and conviction but – so far – without much evidence. However, evidence now is emerging – in the form of URLs shortened by the Bit.ly service.
Following the DNC attack, SecureWorks, a security firm that’s been tracking the hacking group Fancy Bear for the past year, published a report about the Russian group’s use of Bitly links in spearphishing campaigns. Fancy Bear’s tactic was to redirect victims to a URL made to look like a legitimate Gmail login page but which was actually a grab for victims’ account credentials.
As Motherboard tells it, SecureWorks had been tracking known Fancy Bear command and control domains, one of which led to a Bit.ly link, which then led to a Bit.ly account controlled by Fancy Bear.
That, in turn, led to thousands of Bit.ly URLs that ultimately linked to thousands of attacks. Specifically, between October last year and May this year, 8,909 Bit.ly links targeted 3,907 individual Gmail accounts as well as accounts at organizations that used Gmail as a service.
According to SecureWorks, Fancy Bear was using 213 short links targeting 108 email addresses just on the hillaryclinton.com domain alone.
Tom Finney of SecureWorks told Motherboard that the Bit.ly spearphishing links allowed “third parties to see their entire campaign including all their targets – something you’d want to keep secret”.
It’s not just the DNC that Fancy Bear has targeted. As well as the John Podesta attack and earlier ones against the likes of Colin Powell, Fancy Bear has also gone after the German parliament, the Italian military and the Saudi foreign ministry.
Using a short URL to target individuals and their logins is a surprisingly effective tactic – and neither Bit.ly nor any other shortening service is to blame. The service itself remains secure, but the short URLs can mask potentially nefarious HTML code behind their innocent-looking strings.
Here’s how it can go: a target gets a “security alert” from what looks like Google. “Someone has your password,” it says at the top, in a do-not-ignore-this red banner warning that someone has just tried to sign into your Google account.
The message provides realistic-looking details: the date the password was used, the IP address of the supposed culprit and a source location from which your account was accessed.
“Google stopped this sign-in attempt,” it reassures you, “but you should change your password.” Of course, there’s a button to do just that. “Change password,” the text reads, over a reassuring safety-blue background.
Would you click? If so, take heart: you’re not alone: this is the tactic that Fancy Bear used to steal the credentials of DNC workers.
You might be familiar with some of those tips, such as hovering over a URL to see where it intends to take you. Screenshots of the Bit.ly link used against Podesta show that even the links hiding behind the Bitly links can be made to look, to an untrained eye, like they’re legitimate. And it seems it’s this tactic that led to the account of John Podesta, chairman of Hillary Clinton’s campaign, being hacked.
How do you protect yourself from spearphishing attempts that use such carefully crafted, well-disguised URLs – URLs that not only hide behind shortened URLs but which mask themselves with convincing code?
Peter Mackenzie of Sophos recently shared an extremely detailed list of tips after his solicitor’s email account was breached via this kind of attack, and it’s worth having another look at those.
Most specific to the case of fending off spearphishing attacks coming from expert hackers like the Fancy Bear group that’s targeting political figures and organizations, I think, are these tips:
- Pick proper passwords. Even though strong passwords don’t help if you are phished (the crooks get the strong password anyway), they make it much harder for crooks to guess their way in.
- Use two-factor authentication whenever you can. That way, even if the crooks phish your password once, they can’t keep logging back into your email account.
- Consider using Sophos Home. Our free security software for Mac and Windows blocks malware and keeps you away from risky web links and phishing sites.
Mahhn
Exposing powerful criminals will only get you killed. If they found a video of hilldog beating a puppy to death with a bat, no major news agency would publish it. All is lost.
Anonymous
Mahhn you need an attitude adjustment, stay on point, and leave your political opinon on the shelf.
VT
Mahhn, seems you need an attitude adjustment, stay on topic, and leave your politcal opinion on the shelf. I have complained on a couple of occasion about your stirring sh*t, but apparently the moderator thinks your negative off-topic comments are useful to the discussion for some reason.
Mahhn
it was on topic – of theft of incriminating Emails. I made no political statement of who I have a personal opinion on. It’s about crimes, not politics. Yes some times my post lean on aggressive with my sarcasm, but not negative toward the story. I fully appreciate the articles. and don’t worry, not all my comments get posted. Sorry I hurt your feelings, I’ll keep you in mind on my next post.
The fact (besides my over the top sarcasm that you missed) that the mainstream media does not report on the incriminating content of the Email, but only that they were stolen by a hacker was the intended comment. Maybe I’ll take some of the cayenne, black and white pepper out of my post if it makes You happy. or
Agghorn
“neither Bit.ly nor any other shortening service is to blame.”
Because URL shortening services by definition mask the real URL, they are most definitely to blame when an account is compromised because this way. One improvement would be an intermediate screen that notifies the user of the target URL and requires a yes or no answer.
Spryte
Agreed.
Any “improvement” like bitly that obfuscates where you may want to go on the internet actually compromizes your security.
I usually do not bother with shortened URLs (even google’s or Microsoft’s) but if the subject matter seems interesting I will copy it into DuckDuckGo and search. That seems to be the only search that will retrieve the long URL and I can decide from there.
At one time I remember a page that would give one the correct URL from the shortened URL but I cannot seem to find it anymore…
Paul Ducklin
IIRC, you can add a plus sign to a bitly link and it will redirect you to an interstitial page that shows the real URL (and lets you click the full URI from there instead)…let me check…yes, that works.
For example, here’s one we prepared earlier for some research we did a while ago into typosquatting:
http://bit.ly/typosquat
That redirects you at once, while this takes you via a Bitly-hosted page that lets you look before you leap:
http://bit.ly/typosquat+
Simon
I stopped clicking on shortened links a long time ago. Never really understood the point of them anyway.
Paul Ducklin
I think the original attraction was for services like SMS and Twitter (when Twitter counted every character in a URL as part of your tweet).
Anonymous
I couldn’t believe this, but its true. If you look at WikiLeaks, Podesta and his people were sending his account credentials in cleartext: Username: jpodesta Password: P@ssw0rd. Phishing the information probably saved Fancy Bear the 10 or 20 guesses it would have taken to perform a successful dictionary attack.
Robert Scroggins
You can/should check those bit.ly (and other) shortened links as well. I do not click on any link without verifying it first. Is that so difficult to do?
Regards,
Hart (Buck) Macklin (@macklinh)
Or it was a simple inside job. Someone noticed he left his laptop open when he went somewhere and in a few seconds they started the process to back up his gmail to a thumb drive.
Usually hacker like to take the credit for their hacks. They don’t use wikileaks.
You know who uses wikileaks? Insiders.
Bart
Podesta should stay off computers in the Clinton administration. Unqualified. Sad.