Now that the election is over and the “Russians worked to influence the election”, and discussions have given way to the evil Assad, I thought this would be a good time to discuss phishing. There are a number of variants to phishing. Today we’ll discuss how the “Russian” conversation got going.
In the twilight of the election campaign last fall, Jon Podesta, the campaign manager for Hillary Clinton woke up one morning to find copies of the emails he had sent to Hilary and his campaign staff plastered across the Internet. What was in those emails for the purposes if this discussion is not important, what is important is how did John Podesta’s emails end up on the Internet. I know, WikiLeaks put them there, but how did WikiLeaks get them?
“The Russian’s hacked the DNC servers” became the cry of the day and then, The Trump Campaign is working with them was added as the days went by. In reality no one hacked John Podesta’s email or the DNC servers, not to get Podesta’s email anyway. No, John Podesta and the DNC IT guys fell for a phishing scam.
One morning when Podesta logged into his Gmail account there was an email waiting for him explaining that his email account had been hacked and he needed to immediately change his password, using, of course, the conveniently provided form in the body of the message. The email looked very “Google Official” and so after consulting with his IT guy he completed the form. This completed form did not go to Google; it went to a very enterprising fellow in either the Ukraine or Romania. “What about Russia?” you may ask. Russians tend to be more on the evil, get cash now, side of phishing schemes which we will discuss in our next phishing article. Phishing schemes like the one Podesta was caught up in are the oldest and most common. These folks are really looking for raw data they can sell to product advertisers, along the way they may get other valuable information such as credit card numbers, social security numbers, etc. etc.
So how do I know what is phishing and what is real? Good question. What you should do, is this. Assume that any email you get telling you your account has been hacked and you need to change your password is a phishing expedition. One, Google, Microsoft, your bank, Amazon et al, has no way on knowing if YOUR account has been hacked. Two, they generally find out your account has been hacked, when YOU call them, to say you can’t get in and you haven’t changed your password. Have you ever noticed when these guys get hacked the hacker never hacked just YOUR account, they got 5 million and even then they don’t know if YOURS is one of them. And, even when they find out they DO NOT send you and email with a nicely laid out form for you to reset your password. In short the easiest way to avoid this type of phishing scheme is to use common sense. Think about how you opened the account. Who knew? YOU and that is all. Even your banker doesn’t know when you sign up for online banking. The Bankers systems do, but people don’t. Systems don’t know if they are being hacked, if they did we wouldn’t have hacking. There are system that try to detect, but they can only detect patterns, then after a pattern is recognized, then they just cut access to the intruder, they do NOT send out notifications to ‘end users’ (that is YOU), their automated processes deny access to the offending system(s). And then they continue on their quest to find patterns that resemble someone that is trying to access their system without permission.
Jon Bowling, President