Check Point Email Security | Blog

Gmail Exploit Allows DNC and Clinton Campaign Email Attack

Written by Michael Landewe | July 31, 2016

Hackers infiltrated Gmail accounts of the DNC and the Clinton Campaign, pointing to a pervasive weakness of cloud-based email.

NEW YORK, August 1, 2016

According to various national news sources, the Democratic National Committee (DNC) and Hillary Clinton campaign’s Gmail accounts were recently hacked. The resulting breaches enabled unauthorized access to sensitive information, such as campaign donor names, internal memos, and more.

Information publicly available from bitly.com reveals that 108 email addresses from the hillaryclinton.com domain were attacked with a spear-phishing link, and of those, 20 users actually clicked the link. Once clicked, the link redirected to a fake Gmail login page used for credential harvesting. Among the 20 users that followed the link are a National Political Director, Financial Director, and other high-ranking officials. (Source: https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign).

One might assume that to attack such a high-profile organization, hackers would have to utilize a sophisticated method or find a zero-day vulnerability. The simplicity and relative ease of this attack on the Hillary Clinton campaign, however, is really quite striking, highlighting a pervasive problem with cloud-based email security.

To execute an attack like this, a hacker would simply need to:

  1. Find out that the Clinton campaign is using Google-hosted email. (Publicly available)
  2. Guess the email addresses of leading campaign members based on their names. (Publicly available)
  3. Send them an email with a from name of someone they know, and a link to a fraudulent document that leads to a fake Google login.
  4. Have users try to log into the fake Google portal with their real Google credentials, revealing them to the hackers.
  5. Harvest the users’ Google credentials from the login attempts to successfully hack the account.

We demonstrated in this video, and describe preventative measures when using cloud-based email. 

 

Are these hacks Google's fault? Could any mail server have been compromised? The reality is that attacking a cloud-based mail server such as Gmail or Office 365 is easier today; when mail servers were in the data centers and end-users were sitting behind firewalls, there was a stack of security layers to protect them from such attacks.

Here are some of the layers that existed and were missing or failed to detect the spear-phishing email in this attack:

  1. Anti-phishing – Google has some native phishing detection, but obviously not best of breed defense.
  2. Web filtering – Nothing to block access to suspicious links and verify URL authenticity.
  3. More secure login to email accounts – Google has some layers of added security, but does not enforce stronger login or multi-factor authentication when suspicious activity is detected.

The Gmail user agreement makes it very clear that the security of its service is provided “as is,” in practical terms, leaving the ultimate responsibility on the customer. The core issue is that the IT team that put together the Google-hosted mail server for the DNC may have assumed that Google would “take care of them.” They clearly did not add the critical layers of security necessary to prevent this type of common attack.

The problem is not unique to the Clinton team: most IT security professionals still lack knowledge on how to secure SaaS email. It is also not unique to Google. In late June 2016, Avanan published a blog on a massive attack against Microsoft's Office 365 users that, though very different in its target and details, leveraged the same problem of missing security layers in cloud-based Microsoft Office 365.

This is the gap that the Avanan Cloud Security Platform solves. We did not reinvent security; we just made it very simple to add these security layers to services like Gmail and Office 365. Because many of the required security technologies are already available from best-of-breed vendors, Avanan merely cloudified their technologies. With—literally—the click of a button, our customers can implement these solutions on Gmail, Office 365, or any other SaaS.

To learn more about the Clinton/DNC Gmail Attack, watch the August 9th Webinar: