The New Posterboy of CyberInsecurity: John Podesta Fell For Social Engineering Attack



Motherboard has a great article explaining just how Podesta, Chairman of the 2016 Hillary Clinton presidential campaign got  hacked.  (Podesta previously served as Chief of Staff to President Bill Clinton and Counselor to President Barack Obama). The man fell for social engineering: a Google credentials phish -- one of the most common phishes that we see in the Phish Alert Button emails that customers send us. That article includes some great screenshots of emails used to hack several other public figures.

The other thing of note here is that this particular phish spoofed a security alert notice from Google -- just the kind of attack that we discussed in this blog post.

In Podesta's case the bad guys used a bit.ly link -- something else we see all the time. And the landing page for the credentials phish probably looked something like the below...

Google Credtials Phish

It is a textbook example of how John Podesta became a Cyber-Insecurity poster child: 
  • Using a terrible password to begin with
  • Re-using that password for multiple sites/accounts
  • Sharing the password with assistants
  • Asking an assistant to email him his password when he forgot it
  • Not turning on two-factor authentication
  • Not changing passwords after one account was known to be compromised

Don't be that guy and train your users within an inch of their lives to "not be that guy" either...

keepcalm.jpg

Free Phish Alert Button

Do your users know what to do when they receive a suspicious email?

Should they call the help desk, or forward it? Should they forward to IT including all headers? Delete and not report it, forfeiting a possible early warning? KnowBe4’s Phish Alert button gives your users a safe way to forward email threats to the security team for analysis and deletes the email from the user's inbox to prevent future exposure. KnowBe4's free Phish Alert for Outlook is an add-in you can download and deploy at no cost.

Learn More

  




Subscribe To Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews