The FBI received a report from the US Democratic National Committee (DNC) that unknown actors sought access to a voter database through a phishing campaign.
Security firm Lookout was reported to have warned the DNC Tuesday that it had found a fake login page for VoteBuilder, a tool the party uses so its campaigns can better target voters.
The apparent attackers' apparent aim was to obtain credentials they could use to access the party's voter information. The DNC's Chief Security Officer Bob Lord briefed party officials on the attack yesterday, then made a public statement denouncing the current US Administration for not protecting the political process from hackers. The party also spoke about the incident to a number of media outlets.
What happened was a phishing test, an exercise party leaders mistook for the real thing
But it developed this morning that there was no actual attack. What happened was a phishing test, an exercise party leaders mistook for the real thing. The DNC leaders say they didn't authorize a phishing test, and it's not clear how they know the incident was just a test, but being caught out like this is embarrassing to any organization. CNN calls the episode a "SNAFU," which seems about right.
The WSJ explained a day later: "One person familiar with the matter said the test site was created at the request of the Michigan Democratic Party by DigiDems, a volunteer group of technology experts that does work for the Democratic Party. The DNC wasn’t notified of the test, which led to the confusion over the spoofed site’s origin, this person said.
In a statement, the Michigan Democratic Party confirmed that its “digital partners” ran the test out of an abundance of caution. “Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked,” Brandon Dillion, the state party’s chairman, said. “Cybersecurity experts agree this kind of testing is critical to protecting an organization’s infrastructure, and we will continue to work with our partners, including the DNC, to protect our systems and our democracy.”
As a result of the incident, the DNC is crafting new rules for state parties and other campaign organizations that want to run cybersecurity exercises, according to Politico. They will now be required to notify DNC headquarters of their plans.
Awareness training is important, but it's important to do it right. When an organization runs interactive, realistic training, it's got to know, at the appropriate levels, what's going on. This kind of "scoring into your own goal" is easy to commit, but it's also easy to avoid. This was a violation of Rule No. 8: "Neglecting To Inform Key Stakeholders".
Here is a 4-minute video with the Top 10 Common Security Awareness Training Program Fails:
Free Phishing Security Test
91% of successful data breaches started with a spear phishing attack
Would your employees click on a phishing mail? We help you train your employees to better manage the urgent IT security problems of social engineering, spear phishing and ransomware attacks. Take the first step now. Find out what percentage of your employees are Phish-prone™ with our free test.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: