Why the DNC Thought a Phishing Test Was a Real Attack
On Wednesday, the Democratic National Committee was alerted by Lookout, a mobile security firm, about an apparent phishing campaign. Someone had created fake site that looked just like VoteBuilder, a DNC-managed database that contains years’ worth of voter information. Were an unsuspecting DNC employee to give the fake site their username and password, a malicious actor could potentially steal sensitive data. Alarmed, the DNC notified the Federal Bureau of Investigation. But it turns out not to have been a foreign attacker at all. It was, instead, part of a previously undisclosed test, authorized by the Michigan Democratic Party.
Lookout had alerted the DNC as well as DigitalOcean—the server company hosting the imposter—within hours of the fake site going live. The incident was initially touted as a success: A cyberespionage campaign thwarted before any data was stolen. Now, it instead raises questions about how a covert phishing simulation could have taken an understandably guarded group totally unaware.
“The test, which mimicked several attributes of actual attacks on the Democratic Party’s voter file, was not authorized by the DNC, VoteBuilder nor any of our vendors,” Bob Lord, the Democratic National Committee’s chief security officer, said in a statement. “The party took the necessary precautions to ensure that sensitive data critical to candidates and state parties across the country was not compromised. There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn’t an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks.”
As a result of the incident, the DNC is crafting new rules for state parties and other campaign organizations that want to run cybersecurity exercises, according to Politico. They will now be required to notify DNC headquarters of their plans.
The Michigan Democratic Party reportedly authorized a firm called DigiDems, which provides progressive campaigns with technology tools, to conduct a security test on the DNC without its knowledge, according to a source familiar with the matter. DigiDems did not immediately return a request for comment.
“Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked,” Brandon Dillon, the Michigan Democratic Party chair, said in a statement. “Cybersecurity experts agree this kind of testing is critical to protecting an organization’s infrastructure, and we will continue to work with our partners, including the DNC, to protect our systems and our democracy.”
But one phishing expert WIRED spoke to says the test wasn’t carried out according to information security industry best practices. Typically, an organization’s employees know ahead of time that a phishing exercise is taking place.
“This whole situation, based on the accounts I am reading, just stinks of amateurs that are unprepared and are unorganized about how to do this,” says Aaron Higbee, the CTO and co-founder of Cofense, a security firm that sends over a million simulated phishing emails each month. He points out that the Michigan Democrats failed to obscure the infrastructure they were using to conduct the test, making it easy for a third-party like Lookout to discover the fake VoteBuilder site and assume the attempt was legitimate—which is exactly what happened.
“Lookout has since been notified by the DNC that they have identified this as a phishing attempt that was part of an unauthorized third-party test on its VoteBuilder system,” the company said in a statement.
The site was uncovered specifically by an artificial intelligence tool that Lookout built last year that monitors internet infrastructure organizations, like companies that offer free web hosting, to scan for suspicious new domains. It finds thousands of potential new spoofs each day, and regularly alerts the companies whose services hackers are trying to mimic.
Lookout trained the tool on a number of known phishing sites, which often impersonate the landing pages for services like Google Docs, Gmail, Facebook, Apple iCloud, or Microsoft Outlook. The AI looks for tell-tale signs of phishing, such as intentionally misspelled domains like “mail.g00gle.com.” In the DNC’s case, the AI detected that the phony VoteBuilder site might be for phishing, but couldn’t decipher what company it was aping, since VoteBuilder is a custom tool.
“In this case, what we found was a whole bunch of hallmarks of phishing,” says Jeremy Richards, a security intelligence engineer at Lookout. “But we didn’t know who it was trying to be, that’s a very interesting bucket for an analyst to look at.”
‘This incident is further proof that we need to continue to be vigilant in light of potential attacks.’
Bob Lord, DNC Chief Security Officer
It remains unclear why the Michigan Democrats chose to keep quiet about a security test they conducted on their own party headquarters. At least they picked the right time for a simulated attack: Just one day prior, three other tech companies announced they had discovered evidence of real coordinated misinformation and phishing campaigns. Microsoft President Brad Smith said his company caught a round of phishing attacks that targeted Republican political groups as well as the US Senate. CEO Mark Zuckerberg also said Facebook had shut down hundreds of pages, groups, and accounts believed to be affiliated mostly with Iran but also Russia. Twitter soon followed, saying it too had deleted nearly 300 accounts believed to be tied to Iran.
And foreign adversaries, also tied to Russia, have genuinely targeted individual political campaigns in recent weeks, including Claire McCaskill, a Missouri Senator, as well as several others. None of the attacks are believed to have been successful.
In 2016 however, John Podesta, then the chairman of Hillary Clinton’s campaign, did fall for a similar email phishing attack orchestrated by Fancy Bear, a group thought to be affiliated with Russian intelligence services. The group obtained over 20,000 of Podesta’s emails, which were subsequently released by WikiLeaks. Though this recent phishing test was kept a secret, the Democratic National Committee has conducted its own, similar phishing tests in the past.
This also isn’t the first time that a secret government phishing scheme has run amuck. In 2010, security testers at the Guam Air Force base launched a covert phishing email, which falsely announced that Dreamworks was going to start filming Transformers 3 at the base, and asked personnel to fill out a web form with their information if they wanted to be considered to appear in the movie as extras. Unfortunately, the message circulated to friends and family outside the base as well, prompting local media inquiries about whether the movie was really going to be made.
Training politicians and their staffs to be aware of malicious phishing campaigns is a good thing. But there’s also no harm in warning them that a test is going to take place.