Even technology experts can be insecure on the internet, as last week’s “Google Docs” phishing attack demonstrated. An array of Gmail users, including BuzzFeed tech reporter Joe Bernstein, readily handed over access to their email to a bogus app. Politicians should be especially wary of suspicious emails given recent events, yet a security test run by the Special Projects Desk found that a selection of key Trump Administration members and associates would click on a link from a fake address.
The Trump camp has talked a lot about cybersecurity—or “the cyber”—particularly to criticize Hillary Clinton for the risks posed by her private email server and to savor the damage done by hacks against the Democratic National Committee and Clinton campaign chairman John Podesta. Its own record, however, is less than sterling—in January, notably, after Trump named Rudolph Giuliani as a cybersecurity advisor, experts promptly discovered that the Giuliani Security corporate website was riddled with known vulnerabilities.
So, three weeks ago, Gizmodo Media Group’s Special Projects Desk launched a security preparedness test directed at Giuliani and 14 other people associated with the Trump Administration. We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs. The emails came from the address email@example.com, but the sender name each one displayed was that of someone who might plausibly email the recipient, such as a colleague, friend, or family member.
The link in the document would take them to what looked like a Google sign-in page, asking them to submit their Google credentials. The url of the page included the word “test.” The page was not set up to actually record or retain the text of their passwords, just to register who had attempted to submit login information.
Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent.
At least the recipients didn’t go farther. Our testing setup—which included disclaimers for careful readers at each step—did not induce anyone to go all the way and try to hand over their credentials.
Two of the people we reached—informal presidential advisor Newt Gingrich and FBI director James Comey—replied to the emails they’d gotten, apparently taking the sender’s identity at face value. Comey, apparently believing that he was writing to his friend, Lawfareblog.com editor-in-chief Ben Wittes, wrote: “Don’t want to open without care. What is it?” And Gingrich, apparently under the impression he was responding to an email from his wife, Callista, wrote: “What is this?”
In both cases, we didn’t respond. In an actual phishing attack, the replies could have given the sender a chance to more aggressively put their targets at ease and lure them in.
In fact, Comey and Gingrich appear to have been less vigilant than Podesta, who had reported his phishing email to a security advisor, only to be mistakenly told it was “legitimate.” (The advisor later claimed that it was a typo and that he had meant to say that it was “illegitimate”.)
Along with Comey, Giuliani, and Gingrich, we sent the messages to 12 other people: FCC chairman Ajit Pai; White House press secretary Sean Spicer; Oval Office operations director Keith Schiller; White House Homeland Security advisor Tom Bossert; John Ratcliffe, the House Chairman of the Homeland Security Subcommittee on Cybersecurity; White House advisor Peter Thiel; Jeanette Manfra, the Department of Homeland Security Acting Undersecretary for Cybersecurity; Stephen Miller, senior advisor to the President; Sebastian Gorka, deputy assistant to the President; Grace Koh, special assistant to the President; John Lynch, chief of the Department of Justice’s Computer Crime and Intellectual Property Section; and Trump lawyer Michael Cohen.
In addition to the giveaway in the form of the email address, the last line of the invitation revealed that it had been sent to test the recipient’s digital security acumen. (Always read the fine print!) And the Google logo linked to our page.
The link then took those who clicked it to the following login page. At the bottom of the page, there were links again to our site, along with the message, “This page was built by Gizmodo Media Group to test your digital security acumen.”
Anyone who clicked the sign-in button would receive a message alerting them to the fact that they’d just taken part in a security audit by the Special Projects Desk. It included our contact information.
A security test like this has precedent. Tech companies like Facebook assign a team to try to hack their colleagues on a regular basis to keep people on their toes, in a practice called red teaming. In 2011, the Department of Homeland Security left USB sticks in the parking lots of government buildings, and found that 60 percent of the government employees and contractors who picked up the sticks plugged them into their computers, which then could have been infected with malware.
The Trump people were not as careless as this, but some of them were still too trusting. They avoided the pitfall of entering their login information—which in a real attack would have opened them up to having their email accounts invaded and their messages downloaded, and would have compromised any other accounts where they used the same password—but those who clicked the link at all were taking a risk. In a worst-case scenario, a click like that could lead to malware being installed in their browser. It could also potentially reveal a user’s geographic location, what device is in use, that device’s operating system, and their choice of browser, all of which would be useful information for a future hack.
These are not theoretical risks. Politicians are increasingly being targeted for email hacks. This past weekend, French presidential-elect Emmanuel Macron saw his campaign’s emails dumped on the internet. Last month, people affiliated with his campaign received emails “with links to fake websites designed to bait them into turning over passwords,” according to the New York Times.
We contacted all of the recipients and asked how they realized that the email or the Google sign-in page, if they clicked through, wasn’t legitimate. Sadly, no one was in the bragging mood. Neither they, nor their government agencies, had responded to a request for comment as of press time.
Correction: The original version of this post stated that Ben Wittes is the editor-in-chief of Lawfare.com. He’s in fact the editor-in-chief of Lawfareblog.com. We regret the error.
This story was produced by Gizmodo Media Group’s Special Projects Desk.