author photo
By Bob Sullivan
Sat | Aug 25, 2018 | 6:36 AM PDT

The most patriotic thing every American can do right now is avoid clicking on any links in emails. Ever. Log in to websites the old-fashioned way, by typing the URL in the web address field at the top of your screen. (Or copying and pasting a link you want to follow manually into the address bar—ideally, pasting it first into a text editor to be sure the link is what it appears to be, and then into your web browser.)

I’ve been giving that advice for 20 years, but I was only trying to protect you and your company then. Now, I’m trying to protect democracy. We are all foot soldiers in a cyberwar now; it’s up to every one of us to keep America safe.

Old-fashioned phishing attacks by Russian hackers against the U.S. are continuing, Microsoft revealed Tuesday, as it announced detection of two fake websites designed to trap employees of conservative organizations, and another three aimed at U.S. Senate workers. The International Republican Institute and the Hudson Institute, a think tank, were targeted because they have parted ways with President Trump, according to The New York Times. The final domain targeted all Microsoft Office OneDrive cloud users, which would be an amazing haul indeed. (It’s not as large a hack as the ability to read all Yahoo emails for 2.5 years, as we chronicled in the podcast Breach, but still a target-rich environment).

The attack strategy mirrors the one that led to the hacking of the Democratic National Committee in 2016. You’ll recall John Podesta fell for an urgent “change your password” email and entered his credentials into a rogue website that was set up by a hacker group linked to Russia. It’s known by various names—Fancy Bear, APT28, or Strontium. No matter. The group is hard at work trying to foment disagreement and anger among American citizens, which isn’t hard because people seem to enjoy being angry right now.

I know you think you would never fall for such a thing. If you do, you’re a fool, and even worse, you are the best target for such an attack. Overconfidence is one trait that hackers often exploit. Anyone can fall for a well-designed phishing email. Anyone. All it takes is a little inside info, like this: “Your son Bob fell and hit his head today in kindergarten. Click here for additional medical information.”

Phishing attacks usually come in pairs. There’s a tempting email with click-bait, like the one above, and there’s a look-alike website. Hackers send the emails to get victims to click on a link to the website they control, then use that to collect login credentials for other attacks, or to infect visitors with malware, or both.

“We have no doubt in our minds” who is responsible, Smith said separately to the Associated Press, blaming Russia.

Russia denied knowledge of the attacks to the AP.

“Kremlin spokesman Dmitry Peskov cited the lack of detail on the hack, and said it wasn’t clear ‘who the hackers in question are’” the AP reported.

Microsoft has the ability to take down such phishing companion sites efficiently, without going through the usual legal hoops, thanks to a federal court ruling last year that found what is essentially ongoing probable cause. That’s good; quickly knocking phishing companion websites offline is one of several steps to defanging in the strategy. It’s far easier than eliminating all spam, for example.

But it’s still a game of whack-a-mole.

“We’re concerned that these and other attempts pose security threats to a broadening array of groups connected with both American political parties in the run-up to the 2018 elections,” Microsoft’s Brad Smith said in a blog post about the attack.

It’s important not to be naive about this. Phishing sites keep popping up because they continue to work. Russians, and other hackers, don’t waste their time. So as long as these keep appearing, that means someone is falling for them.

There are literally infinite website domains that can look and sound like the real thing. Years ago I wrote about PayPai.com, which looked a lot like PayPal.com, and was used to steal credentials. That’s how easy this is.

Now is the time to be vigilant. You, your company, and your country are counting on you. Don’t click on any links in emails, period.

This article appeared originally here on BobSullivan.net.

Comments