Welcome to DU!
The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards.
Join the community:
Create a free account
Support DU (and get rid of ads!):
Become a Star Member
Latest Breaking News
General Discussion
The DU Lounge
All Forums
Issue Forums
Culture Forums
Alliance Forums
Region Forums
Support Forums
Help & Search
Proof that, contrary to Trump, it's unlikely a random "14-year-old" phished Podesta's email
Trump cited his BFF Julian Assange's words in the Hannity interview to support his insistence that Russia wasn't responsible for the Podesta hack (and by extension, the DNC hack):
Donald J. Trump @realDonaldTrump
Julian Assange said "a 14 year old could have hacked Podesta" - why was DNC so careless? Also said Russians did not give him the info!
Julian Assange said "a 14 year old could have hacked Podesta" - why was DNC so careless? Also said Russians did not give him the info!
Here's a condensed version of some recent tweets from Pwn All The Things, who's done what the media seem incapable of and pulled together information from various sources:
Pwn All The Things @pwnallthethings
Could have hacked? Sure. Did hack? No. Let me go through why not.
So the actual email used to phish John Podesta ended up in the WIkileaks dump. It's here
https://t.co/H6ACVvnOXH
This is a reconstruction of that phishing email. (All of the information is bogus - the mention of Ukraine isn't relevant here)
You can't tell just by looking, but that "Change Password" link doesn't take you to Google. It takes you to Bit.ly.
This link expands to a fake login page (note URL is for a .tk site). This is what Podesta saw when he accidentally gave creds to hackers.
But the hackers screwed up. The hackers weren't hacking one-by-one; so URL contraction wasn't done manually. It was done via the Bitly API.
Using the Bitly API requires you create an account. So the hackers had to create an account. And they forgot to make their account private.
It's no longer possible - the hackers have changed their settings - but before you could simple enumerate ALL of the contracted links.
The Bitly link in John Podesta's email is visible in the Wikileaks dump here https://wikileaks.org/podesta-emails/emailid/36355 …
We can ask Bitly to expand it. This is what it says https://bitly.com/1PibSU0+
Those gobble-de-gook strings aren't encrypted. They're Base64 encoded. In this case, it tells us the link was for john.podesta@gmail.com
Why did the hackers include this info? Same reason they contracted links via API. Because they're not hacking 1-by-1. Are hacking at scale.
This information lets their attack server populate fields to look more authentic (it's why it's able to pre-fill Podesta's name and picture)
But it also means this opsec screw up is bad. Bc we can see the links contracted by the account, we can see all of the spearphishing URLs
And the spearphishing URLs tells us the accounts that were targeted.
How many accounts did this "14 year old" hack? About 1800. In 2015.
Who were these accounts? Mil, govt personnel in the West, defence cos, journos critical of govt in Russia etc
Here's a pie chart of some of the accounts the 14 year old hacker hacked outside of Russian sphere of influence
This 14 year old is apparently an avid reader, given how many authors they're hacking. What are their interests? Another pie chart.
(These pie charts by @SecureWorks I should add, from here: https://www.secureworks.com/research/threat-group-4127-targets-google-accounts …)
And which countries is our friendly 14 year old hacker interested in? These ones. Remember. This is 1800 gmail accounts *in 2015 alone*.
Is it possible this was all a 14 year old? Sure. Also possible I'm a bridge salesman, and boy have I got a great deal for you today.
When hackers hack at scale, they reuse infrastructure. They make mistakes. This isn't unusual. You can piece the bits together.
And this isn't even the DNC hack. It's just the Podesta one. And it's only one of many different strands in just the public attribution case
Could have hacked? Sure. Did hack? No. Let me go through why not.
So the actual email used to phish John Podesta ended up in the WIkileaks dump. It's here
https://t.co/H6ACVvnOXH
This is a reconstruction of that phishing email. (All of the information is bogus - the mention of Ukraine isn't relevant here)
You can't tell just by looking, but that "Change Password" link doesn't take you to Google. It takes you to Bit.ly.
This link expands to a fake login page (note URL is for a .tk site). This is what Podesta saw when he accidentally gave creds to hackers.
But the hackers screwed up. The hackers weren't hacking one-by-one; so URL contraction wasn't done manually. It was done via the Bitly API.
Using the Bitly API requires you create an account. So the hackers had to create an account. And they forgot to make their account private.
It's no longer possible - the hackers have changed their settings - but before you could simple enumerate ALL of the contracted links.
The Bitly link in John Podesta's email is visible in the Wikileaks dump here https://wikileaks.org/podesta-emails/emailid/36355 …
We can ask Bitly to expand it. This is what it says https://bitly.com/1PibSU0+
Those gobble-de-gook strings aren't encrypted. They're Base64 encoded. In this case, it tells us the link was for john.podesta@gmail.com
Why did the hackers include this info? Same reason they contracted links via API. Because they're not hacking 1-by-1. Are hacking at scale.
This information lets their attack server populate fields to look more authentic (it's why it's able to pre-fill Podesta's name and picture)
But it also means this opsec screw up is bad. Bc we can see the links contracted by the account, we can see all of the spearphishing URLs
And the spearphishing URLs tells us the accounts that were targeted.
How many accounts did this "14 year old" hack? About 1800. In 2015.
Who were these accounts? Mil, govt personnel in the West, defence cos, journos critical of govt in Russia etc
Here's a pie chart of some of the accounts the 14 year old hacker hacked outside of Russian sphere of influence
This 14 year old is apparently an avid reader, given how many authors they're hacking. What are their interests? Another pie chart.
(These pie charts by @SecureWorks I should add, from here: https://www.secureworks.com/research/threat-group-4127-targets-google-accounts …)
And which countries is our friendly 14 year old hacker interested in? These ones. Remember. This is 1800 gmail accounts *in 2015 alone*.
Is it possible this was all a 14 year old? Sure. Also possible I'm a bridge salesman, and boy have I got a great deal for you today.
When hackers hack at scale, they reuse infrastructure. They make mistakes. This isn't unusual. You can piece the bits together.
And this isn't even the DNC hack. It's just the Podesta one. And it's only one of many different strands in just the public attribution case
Full tweet thread here: https://twitter.com/pwnallthethings/status/816629673820114944
24 replies
= new reply since forum marked as read
= new reply since forum marked as read
