The technology site Gizmodo is taking some heat for its “stunt hacking” attempts targeting officials associated with the Trump administration.
The site emailed a fake invitation to view a Google Docs spreadsheet from a Gizmodo email address, but with the name of the sender mimicking someone the recipient would know — either a family member, colleague or friend. If the recipient clicked the link, it would direct them to a document that appeared like a Google sign-in page, asking them to put in their Google credentials.
Gizmodo said over half the officials connected to the Trump administration clicked on the link.
The site said it did not collect any of the personal information, such as passwords, that the clickers entered. But the fake attack is nonetheless drawing criticism.
Jake Laperruque, a senior counsel for The Constitution Project, who previously worked for Sen. Al Franken (D-Minn.), slammed Gizmodo publicly for its “grossly irresponsible” test.
He said Gizmodo’s article could have the reverse effect of showing vulnerabilities and actually make individuals vulnerable through a short domino falling process. The site’s article could inspire others to try to publicly list figures who are susceptible to hacking, which could then make them more vulnerable to a real malicious attack once that becomes public knowledge.
“I’m less concerned about it encouraging copycats in the form of actual malicious hacks — hopefully illegality would discourage that — but am very worried that this will lead to efforts that list out public figures that seem vulnerable to hacking,” Laperrugue wrote in an email Tuesday. “That would create serious cybersecurity risks and expose individuals to malicious hacks. Hopefully this activity will be condemned as seriously irresponsible and not repeated in the future on any scale.”
Gizmodo said it emailed the fake link to 15 people, including White House press secretary Sean Spicer, former FBI Director James Comey, senior adviser to the president Stephen Miller, deputy assistant to the president Sebastian Gorka, White House adviser Peter Thiel, White House cybersecurity adviser Rudy Giuliani and informal adviser to the president Newt Gingrich.
“Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times,” Gizmodo.com said in its Tuesday report of the test.
Gizmodo said it does not know who exactly clicked on the link, but they know Comey and Gingrich opened the emails because they both replied.
“Comey, apparently believing that he was writing to his friend, Lawfareblog.com editor-in-chief Ben Wittes, wrote: ‘Don’t want to open without care. What is it?’ And Gingrich, apparently under the impression he was responding to an email from his wife, Callista, wrote: ‘What is this?’ ” the site writes.
Gizmodo said it did not respond to Comey or Gingrich’s emails, adding that if it were a real phishing attempt, “the replies could have given the sender a chance to more aggressively put their targets at ease and lure them in,” and make their emails and personal information susceptible to the hackers.
Gizmodo said it offered disclaimers throughout the test “for careful readers” to notice that it was a stunt hacking.
“In addition to the giveaway in the form of the email address, the last line of the invitation revealed that it had been sent to test the recipient’s digital security acumen … Anyone who clicked the sign-in button would receive a message alerting them to the fact that they’d just taken part in a security audit by the Special Projects Desk. It included our contact information,” the site continued.
Markus Jakobsson, the chief scientist for Agari, a internet company that aims to eliminate email cyber attacks, disputed that the individuals who clicked on the link are “negligent or clueless,” saying these phishing attempts are sophisticated.
“The fact that half of their targets fell for the ruse isn’t shocking. It doesn’t show that the Trump administration is negligent or clueless,” Jakobsson said in a Wednesday blog post. “The administration, simply, is made up of people, and this is what people do. For those who think we should hold the victims accountable for their actions, I have one piece of advice: give it a rest. That might have been possible five years ago, before the level of sophistication of email attacks rose to the current level.”
He instead argued that technology needs to advance to the point that it warns users when a phishing attempt is underway.
“Instead, we need to usher in a new era of security technologies that are automated ‘guardian angels’ to all recipients of a protected organization, and which identify risk … by determining whether an email would be deceptive to the recipient,” he writes.