Gizmodo's "security preparedness test" that targeted members of the Trump administration illustrates how everyone and anyone can fall for a phish.
In April 2017, Gizmodo's reporters sent a "security preparedness test" to 15 members of U.S. President Donald Trump's administration.
Rudolph Guiliani, Trump's digital security advisor; Sean Spicer, White House press secretary; and others received an email not entirely unlike the messages sent out by the Google Docs worm in early May.
The message mimicked an invitation to view a spreadsheet in Google Docs. Each email originated from firstname.lastname@example.org, but the Sender field displayed the name of a friend, colleague, or loved one to add to its legitimacy.
See that fine print at the bottom of the page?
"This page was built by Gizmodo Media Group to test your digital security acumen."
Yeah, the email clearly gives itself away as a means of testing recipients "digital security acumen." The Google logo even links to Gizmodo's website.
But it's not hard to imagine that many people might not have noticed that.
Those who clicked on the link found themselves presented with a fake Google login page that once again displayed the fine print and a linked image.
If someone then entered their credentials, Gizmodo didn't store their password. But it would display an alert notifying them of the exercise and stating that a reporter would contact them shortly.
The test did induce a few clicks. As Gizmodo's Ashley Feinberg, Kashmir Hill, and Surya Mattu explain:
"Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times. There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent."
Fortunately, no-one went so far as to hand over their login credentials.
James Comey, the former director of the FBI, and Newt Gingrich, an informal advisor to the President, even responded to the email inquiring into the contents of the spreadsheet. For the sake of the test's integrity, Gizmodo didn't respond to those inquiries.
Public reaction of the exercise has been mixed. Some have pointed to the need for more security awareness training among Trump's staffers. Others have argued (and argued against) the idea that the activity violated the U.S. Computer Fraud and Abuse Act (CFAA).
1/ What Gizmodo did phishing the Trump administration was not a violation of the CFAA.
— Rob Graham٩(●̮̮̃●̃) (@ErrataRob) May 10, 2017
In this case, the Graham Cluley Security News team agrees with the evaluation of CSO security journalist Steve Ragan.
Like Ragan, we're hesitant to accept Gizmodo's use of red team exercises conducted by Facebook and the Department of Homeland Security as precedents for their test. That's because these simulations required explicit permission - something which Gizmodo never received from the Trump administration. To be effective, these types of tests should also occur across several rounds and log who is entering their credentials. This simulation did neither of these things.
But Gizmodo's exercise did do something. As Ragan comments:
"In the end, what we have is a story about people who fell for weak Phishing attack, which is a problem organizations and security teams the world over deal with on a daily basis. It isn't news, it's reality. Phishing is arguably one of the largest problems a network or individual will face online, and there is no easy answer when it comes to dealing with it. No quick fixes. None."
No doubt tests such as Gizmodo's have a place in the Trump administration and every other organization. If your company isn't conducting its own simulations, it probably should. But to be truly effective in raising your workforce's security awareness, your company needs to give its permission for an exercise that should be ongoing and encompass all your employees.
To hear more views on Gizmodo's probe of the Trump administration's cybersecurity, be sure to listen to our recent "Smashing Security" podcast on the topic.Subscribe: Apple Podcasts | Google Play | Overcast | Stitcher | RSS for you nerds.