Gizmodo security test proves everyone (even Donald Trump’s team) can get phished

And that permission for red team exercises is important…

David bisson
David Bisson
@
@DMBisson

Gizmodo security test proves everyone (even Donald Trump's team) can get phished

Gizmodo‘s “security preparedness test” that targeted members of the Trump administration illustrates how everyone and anyone can fall for a phish.

In April 2017, Gizmodo‘s reporters sent a “security preparedness test” to 15 members of U.S. President Donald Trump’s administration.

Rudolph Guiliani, Trump’s digital security advisor; Sean Spicer, White House press secretary; and others received an email not entirely unlike the messages sent out by the Google Docs worm in early May.

Sign up to our free newsletter.
Security news, advice, and tips.

The message mimicked an invitation to view a spreadsheet in Google Docs. Each email originated from [email protected], but the Sender field displayed the name of a friend, colleague, or loved one to add to its legitimacy.

Phishing email
Source: Gizmodo.

See that fine print at the bottom of the page?

“This page was built by Gizmodo Media Group to test your digital security acumen.”

Yeah, the email clearly gives itself away as a means of testing recipients “digital security acumen.” The Google logo even links to Gizmodo‘s website.

But it’s not hard to imagine that many people might not have noticed that.

Those who clicked on the link found themselves presented with a fake Google login page that once again displayed the fine print and a linked image.

Phishing test page

If someone then entered their credentials, Gizmodo didn’t store their password. But it would display an alert notifying them of the exercise and stating that a reporter would contact them shortly.

Szb0q5jrw50nyajpj2fu
Source: Gizmodo

The test did induce a few clicks. As Gizmodo‘s Ashley Feinberg, Kashmir Hill, and Surya Mattu explain:

“Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent.”

Fortunately, no-one went so far as to hand over their login credentials.

James Comey, the former director of the FBI, and Newt Gingrich, an informal advisor to the President, even responded to the email inquiring into the contents of the spreadsheet. For the sake of the test’s integrity, Gizmodo didn’t respond to those inquiries.

Public reaction of the exercise has been mixed. Some have pointed to the need for more security awareness training among Trump’s staffers. Others have argued (and argued against) the idea that the activity violated the U.S. Computer Fraud and Abuse Act (CFAA).

In this case, the Graham Cluley Security News team agrees with the evaluation of CSO security journalist Steve Ragan.

Like Ragan, we’re hesitant to accept Gizmodo‘s use of red team exercises conducted by Facebook and the Department of Homeland Security as precedents for their test. That’s because these simulations required explicit permission – something which Gizmodo never received from the Trump administration. To be effective, these types of tests should also occur across several rounds and log who is entering their credentials. This simulation did neither of these things.

But Gizmodo‘s exercise did do something. As Ragan comments:

“In the end, what we have is a story about people who fell for weak Phishing attack, which is a problem organizations and security teams the world over deal with on a daily basis. It isn’t news, it’s reality. Phishing is arguably one of the largest problems a network or individual will face online, and there is no easy answer when it comes to dealing with it. No quick fixes. None.”

No doubt tests such as Gizmodo‘s have a place in the Trump administration and every other organization. If your company isn’t conducting its own simulations, it probably should. But to be truly effective in raising your workforce’s security awareness, your company needs to give its permission for an exercise that should be ongoing and encompass all your employees.

To hear more views on Gizmodo‘s probe of the Trump administration’s cybersecurity, be sure to listen to our recent “Smashing Security” podcast on the topic.

Smashing Security #020: 'Phishing for Donald Trump'

Listen on Apple Podcasts | Spotify | Pocket Casts | Other... | RSS
More episodes...


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

2 comments on “Gizmodo security test proves everyone (even Donald Trump’s team) can get phished”

  1. M.Sirrell

    Apparently there's little or no public interest defence in the US to protect journalists bending or breaking the law in carefully defined and documented ways in pursuit of a legitimate story. It's been used in the UK to try to defend pretty indefensible tactics like phone hacking and bribing public officials (prison officers, soldiers) for stories and/or pictures that the "normal" reptiles of Fleet St can't get, eg some D division celeb banged up in their cell. HOWEVER, it's also been used to protect legitimate journalistic endeavour. The classic example would be the various demonstrations of smuggling guns and knives airside or even onto aircraft to show up crap airport security. There's clearly a legimate public interest in publicising the fact that, eg, airport security doesn't work very well. And if security's improved as a consequence, that's a bonus.

  2. Thomas D Dial

    The exercise results are decidedly mixed. From the article: "Fortunately, no-one went so far as to hand over their login credentials." So none of the targets actually fell for the phish, contrary to the headline and lead paragraph. That is good news. It is, on the other hand, bad news if anyone followed the link from other than an isolated secure environment, an act could have allowed introduction of a compromise. Unfortunately that seems likely in view of the reported short delay between sending of the message and activation of the link. Officials (and those who screen their email) need to do a better job, as hard as that may be given the likely volume of their email correspondence.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.