Use the DNC Hacks to Teach Phishing

Looking at the recent political news, it appears hackers targeted John Podesta, Hillary Clinton’s Campaign Chairman, in order access to his and other DNC staffers’ e-mail accounts. Regardless of your political beliefs, this is a teaching moment: Podesta, a high profile figure, has had his personal e-mails leaked online.  Everyone with whom he communicated via that hacked e-mail account is also in the spotlight (including the President whose personal e-mail address was revealed).

It appears that Podesta was spearphished.  According to reports, hackers sent him a carefully crafted e-mail containing a shortened URL which directed him to a falsified website showing his credentials as expired and requesting login information.  Dell Secureworks, the security firm investigating these hacks, says there is no evidence the Podesta clicked through the link and actually provided his credentials.  However, it IS clear that he and others were targeted via a spearphishing e-mail.

Recall that one goal of phishing is to trick you into providing your credentials.

Here comes the teaching moment.

An e-mail can be made to appear legitimate.  In fact, It’s pretty simple to a copy logo and create a falsified e-mail address.

Always be wary of unexpected e-mails.  Anytime an e-mail links to a website where login credentials are requested, watch out!  Verify the site’s legitimacy by checking out the URL, or even better, go to the website directly from your browser and skip the link altogether.

But, you’re not a famous person or a leader in a major political party.  Why would anyone want to phish you?  Here are two reasons: First, if they can hack your account, they have access to a new group of potential targets. Second, it’s easier to conduct illegal activities using an existing account since many popular services are now on the lookout and banning duplicate accounts.

To the first point, look at how compromising just one person can take down others.

One person in the targeted organization is scammed out of their e-mail credentials.  Now, their e-mail account can be used to send requests to others in the organization.  Sound familiar?  Yes, Business E-mail Compromise (BEC) is accomplished with this tactic!

There are many cyber hacking stories that are making mainstream news.  Make an impact while teaching computer security by referencing some of them!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s