The Democrats are on edge for good reason. They have a little experience with this.
What appeared to be an attempt by hackers to phish Democratic officials and obtain access to the party’s voter file this week turned out to be nothing more than a security exercise in Michigan. And while the party line now is that the incident shows how tight its security really is—with calls placed to the FBI before anyone got tricked into giving up a password—the real credit belongs to a San Francisco-based company that, like the Democratic National Committee itself, was oblivious to what was really going on until less than 24 hours ago.
It’s been one hell of a busy week at Lookout, the mobile security firm that first discovered the fraudulent page trying to the capture login credentials of VoteBuilder, the platform Democrats use to track potential voters. Work at the firm has been basically shut down as its security pros are now spending most of their time explaining how phishing works to reporters.
“We’ve been on the phone since Monday,” said Aaron Cockerill, chief strategy officer. “We haven’t been able to do much else,”
Late Wednesday, the DNC revealed that the attack it had announced earlier that day was no attack at all, but a security test conducted without its knowledge. Gizmodo confirmed Thursday that the test was ordered by Michigan Democrats who are trying, wisely, to keep staff members on their toes in the face of cyber threats from foreign adversaries. With the help of an outside firm, state party officials created a fake login page on a remote server. The plan was to trick campaign staffers into unwittingly surrendering access to the platform used by Democratic campaigns at every level—for fundraising activities, to create call lists, to develop canvassing strategies, and more.
What the Democrats didn’t foresee is the possibility of their fake page being detected by someone else who would in turn notify the DNC. That’s exactly what happened. By the time Michigan knew what was going on, newspapers nationwide were reporting a federal law enforcement investigation into another potential attack on the Democratic Party.
That the phishing attempt turned out to be fake doesn’t take away from the fact that Lookout, a security company most consumers have never heard of, not only detected the page but had it shut down in about 24 hours. Had the attempt been real, the firm would have been widely recognized for saving the Democrats from another fateful episode.
The application Lookout credits with detecting the fake phishing page was developed based on the research of Jeremy Richards, the company’s principal security intelligence engineer. Roughly a year ago, Richards began researching ways to detect phishing kits; not after they were used, but as they were launched. The system responsible for detecting the fake VoteBuilder page doesn’t yet have a fancy name. Lookout simply calls it “Phishing AI.”
As a security researcher, Richards has a background in reverse engineering threats. His work previously focused on examining signatures in network traffic caused by the execution of malware, where discovered an overlap between malware command and control servers and phishing infrastructure. “I started to learn how phishers deploy and where they deploy,” he said. “I started watching what kind of signals are created, what kind of signals are generated during that process.”
Around this time last year, Richards began coding an application capable of detecting the deployment of phishing kits online, creating models that could identify and classifying phishing sites in real time. In most cases, phishing sites are detected only after they’ve served their purpose—after a malicious link has been sent to dupe someone into betraying sensitive piece of information. By the time a phishing site is actually discovered, it’s usually too late. Identifying them at this stage is what Lookout calls a “sacrificial lamb-based solution.”
“We’re seeing thousands of phishing sites a day,” Richards says. “And that’s because they have to cycle so quickly to avoid being blocked by traditional means.” The ways by which Lookout’s application detects phishing sites is something of a secret, not only because it’s a proprietary product, but because disclosing too much about how it works would only give its targets the key to defeat it. The game, Richards says, is cat and mouse.
“It’s a game you’re familiar with coming from a malware protection standpoint. It’s not unfamiliar to me,” he says. “The phishing kits when they first came out were typically poorly written, bad copies, written in PHP, and they would either store credentials that were harvested or email them out. And while there’s still plenty of that—thousands per every day, in fact—it definitely trends now toward more sophisticated campaigns.”
The messages carrying the phishing links, too, are becoming more sophisticated, relying less on a traditional email, which people have become naturally suspicious of. Attackers have expanded significantly into SMS and social media, and are displaying a preference for targeting personal email over corporate. There’s far more reconnaissance involved today, which helps phishers craft unique messages for finely targeted attacks.
Lookout has even seen messages carrying malicious links that tell parents, using real names, that their sons or daughters have been in an accident. “The kits have gotten more advanced, they can detect when they’re being analyzed, and the reconnaissance has dramatically improved because of how much our lives are online these days,” Richards says.
When Lookout’s application first launched eight months ago, it focused primarily on detecting threats imitating roughly a dozen brands, mostly the big ones such Microsoft, Google, and so on. Today, it’s trained to monitor for more than 40 different brands. But even with all those, it’s still the phishing sites Lookout doesn’t immediately recognize that are the most interesting. The DNC’s voter file program, VoteBuilder, was an unknown. That’s the only reason it bubbled to the top.
The fake VoteBuilder page was flagged as being a high-probability phishing page, but Lookout’s AI could not by itself tell who or what the page was trying to imitate. It required the developer’s attention. “We saw this domain start to evolve over time. We were able to watch it change from not a phishing kit, to a very poor phishing kit with broken images, to a very sophisticated look alike,” Richard says.
On Thursday, a California-based company called DigiDem confirmed that it had been hired by the Michigan Democratic Party to assist in conducting the test. “As part of that training, we ran tests on the Michigan state party campaign’s internal security measures which tripped an external alarm,” the group’s co-executive director, Alicia Rockmore, told Gizmodo.
According to Lookout, DigiDem did a bang up job.
“From the perspective that they were trying to emulate a real phishing attack, they did really well,” said Richards. “Otherwise it would have been very obvious from the beginning.”
While the test was not authorized by the DNC, and sounding a false alarm so loudly is likely to lead to some harsh criticism, the kind of test the Michigan Democrats conducted should be happening more, not less. At a White House briefing not two weeks ago, the nation’s top national security officials cautioned that foreign influence operations and attempts to undermine the country’s election infrastructure are on the rise, not abating simply because of America’s newfound hyperawareness.
“Our adversaries are trying to undermine our country on a persistent and regular basis,” warned FBI Director Christopher Wray. “Whether it’s election season or not.”