Cracking computer systems is hard. Cracking people? Not as hard.
And the easiest way to trick humans is one of the oldest tricks on the internet: email.
“Humans are curious,” said Oren Falkowitz, the CEO of Area 1 Security, a cybersecurity company that works with the campaigns of several Democratic presidential candidates. “You get a message that looks like it’s from your boss ... you want to click on it.”
Fake email, or phishing, attempts remain a major threat to presidential campaigns ahead of the 2020 election, just as they did four years ago when suspected Russian hackers swiped emails from the Democratic National Committee and a senior campaign official for Hillary Clinton.
This type of email-based cyberattack remains a tried-and-true way for hackers to try to obtain access to computer systems and files, and security experts said they expect to see more of it in the months ahead.
Its status as a preferred hacking tactic was highlighted again Monday with a report that Russians had launched a phishing campaign against Burisma Holdings, the Ukrainian natural gas company at the center of the Trump impeachment case.
Phishing attempts involve email messages that try to get people to click on suspicious links or open dodgy files, often leading to fake pages to steal login credentials. They date back to the rise of email in the 1990s, though these days malicious links can be found nearly anywhere, including in direct messages in social media apps.
They’re effective for a simple reason: people can’t help but click.
Byers Market Newsletter
Get breaking news and insider analysis on the rapidly changing world of media and technology right to your inbox.
There were about 1,000 phishing attempts in the last two months against each of the leading Democratic candidates, and in a fifth of the attacks, hackers were able to get control of the target’s email accounts, according to Area 1’s research, which was first reported by The New York Times.
The country’s election security chief, Shelby Pierson, said Tuesday that U.S. intelligence agencies are tracking hacking activity by Russia’s military intelligence agencies, but that there are limits to what the government can do to help political campaigns.
An estimated 3 billion phishing emails are sent a day, according to email security firm Agari, and the numbers show no sign of slowing.
“Attack volume is up significantly,” Armen Najarian, Agari’s chief identity officer, said. “And more importantly, not only is the volume up, but so is the attack sophistication.”
Phishing attacks drastically shifted political debate and media coverage leading up to the 2016 presidential election.
John Podesta, the Clinton campaign chairman, was the victim of a phishing attack on his Gmail account, and his emails were later released publicly by the website WikiLeaks. Attacks by Russian intelligence officers on the DNC also used phishing attempts, according to federal prosecutors.
And while there have been a variety of warnings about new threats and strategies to counter them, the basic challenges of phishing persist.
Falkowitz, whose firm specializes in deterring phishing attacks, said that while there are any number of other security threats and strategies to deal with them, addressing phishing remains the most urgent need for both campaigns and the security industry.
“People started focusing on esoteric things like threat intelligence and all these exotic workarounds instead of going to the heart of the problem, which is phishing,” he said.
Journalists have been pressing the top Democratic presidential campaigns and President Donald Trump’s re-election campaign to outline their security practices and how they plan to fend off phishing and other types of attacks. Some have outlined steps, including cybersecurity training, while others have declined to share details. On Wednesday, The Wall Street Journal reported that the cybersecurity chief for Pete Buttigieg’s campaign had resigned over undisclosed differences.
More sophisticated phishing attacks often use web domains that are similar to well-known addresses but that are slightly misspelled. Or the name that’s displayed may be carefully crafted to imitate a corporate brand or that of an individual.
And because campaigns are a high-profile target, efforts to crack into email accounts can be highly customized and targeted — an attack known as spear phishing.
Fewer email recipients are clicking on phishing emails these days — around 3 percent clicked links in 2018 in internal corporate exercises, a sharp decline from nearly 25 percent in 2012, according to a report last year from data breach investigators at Verizon.
But some security experts say that political campaign staff may be more vulnerable than a typical office worker or an email recipient.
“Many people are passionate, ready to take action and receiving a deluge of communication from new sources,” Orion Cassetto, the director of product marketing at security firm Exabeam, said. “This is a perfect storm that leaves ample opportunity for people to fall victim to well-crafted phishing emails disguised as communication from political organizations and candidates.”