Pwn All The Things ‏on the industrial strength hack of John Podesta's emails seen on Wikileaks

Greg Dworkin2 Likes725 Views

Favicon for https://storify.com

Pwn All The Things @pwnallthethings
Could have hacked? Sure. Did hack? No. Let me go through why not. https://twitter.com/realDonaldTrump/status/816620855958601730 …
Wed, Jan 04 2017 12:25:25
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816621553643294720
Wed, Jan 04 2017 12:25:25
Pwn All The Things @pwnallthethings
So the actual email used to phish John Podesta ended up in the WIkileaks dump. It's here https://wikileaks.org/podesta-emails/emailid/36355 …
Wed, Jan 04 2017 12:27:05
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816621973971333120
Wed, Jan 04 2017 12:27:05
This is a reconstruction of that phishing email. (All of the information is bogus - the mention of Ukraine isn't relevant here). pic.twitter.com/EvFhdYfZaI
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:30:49
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816622915860963328
Wed, Jan 04 2017 12:30:49
You can't tell just by looking, but that "Change Password" link doesn't take you to Google. It takes you to Bit.ly. pic.twitter.com/e6Rm71YTfG
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:32:45
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816623399489441793
Wed, Jan 04 2017 12:32:45
This link expands to a fake login page (note URL is for a .tk site). This is what Podesta saw when he accidentally gave creds to hackers. pic.twitter.com/3Cc8KxvjNf
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:34:23
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816623812078956544
Wed, Jan 04 2017 12:34:23
Pwn All The Things @pwnallthethings
But the hackers screwed up. The hackers weren't hacking one-by-one; so URL contraction wasn't done manually. It was done via the Bitly API.
Wed, Jan 04 2017 12:35:56
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816624203835252736
Wed, Jan 04 2017 12:35:56
Pwn All The Things @pwnallthethings
Using the Bitly API requires you create an account. So the hackers had to create an account. And they forgot to make their account private.
Wed, Jan 04 2017 12:36:19
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816624297972273152
Wed, Jan 04 2017 12:36:19
Pwn All The Things @pwnallthethings
It's no longer possible - the hackers have changed their settings - but before you could simple enumerate ALL of the contracted links.
Wed, Jan 04 2017 12:36:44
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816624404918652928
Wed, Jan 04 2017 12:36:44
The Bitly link in John Podesta's email is visible in the Wikileaks dump here https://wikileaks.org/podesta-emails/emailid/36355 … pic.twitter.com/PNEN96Cfq3
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:38:37
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816624876119277568
Wed, Jan 04 2017 12:38:37
We can ask Bitly to expand it. This is what it says https://bitly.com/1PibSU0+ pic.twitter.com/uEvg25shJA
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:39:25
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816625077634600960
Wed, Jan 04 2017 12:39:25
Those gobble-de-gook strings aren't encrypted. They're Base64 encoded. In this case, it tells us the link was for john.podesta@gmail.com pic.twitter.com/ebLWQndneO
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:41:33
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816625617068236802
Wed, Jan 04 2017 12:41:33
Pwn All The Things @pwnallthethings
Why did the hackers include this info? Same reason they contracted links via API. Because they're not hacking 1-by-1. Are hacking at scale.
Wed, Jan 04 2017 12:42:31
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816625858517618689
Wed, Jan 04 2017 12:42:31
Pwn All The Things @pwnallthethings
This information lets their attack server populate fields to look more authentic (it's why it's able to pre-fill Podesta's name and picture)
Wed, Jan 04 2017 12:43:25
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816626085362278400
Wed, Jan 04 2017 12:43:25
Pwn All The Things @pwnallthethings
But it also means this opsec screw up is bad. Bc we can see the links contracted by the account, we can see all of the spearphishing URLs
Wed, Jan 04 2017 12:44:19
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816626310122500096
Wed, Jan 04 2017 12:44:19
Pwn All The Things @pwnallthethings
And the spearphishing URLs tells us the accounts that were targeted.
Wed, Jan 04 2017 12:44:43
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816626411591057408
Wed, Jan 04 2017 12:44:43
Pwn All The Things @pwnallthethings
How many accounts did this "14 year old" hack? About 1800. In 2015.
Wed, Jan 04 2017 12:45:20
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816626566453149696
Wed, Jan 04 2017 12:45:20
Who were these accounts? Mil, govt personnel in the West, defence cos, journos critical of govt in Russia etc pic.twitter.com/NyZEkWLncf
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:47:02
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816626996390268929
Wed, Jan 04 2017 12:47:02
Here's a pie chart of some of the accounts the 14 year old hacker hacked outside of Russian sphere of influence pic.twitter.com/AzdtL0Umbt
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:48:09
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816627274367823872
Wed, Jan 04 2017 12:48:09
This 14 year old is apparently an avid reader, given how many authors they're hacking. What are their interests? Another pie chart. pic.twitter.com/TKSXePJViJ
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:49:06
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816627513598345216
Wed, Jan 04 2017 12:49:06
Pwn All The Things @pwnallthethings
(These pie charts by @SecureWorks I should add, from here: https://www.secureworks.com/research/threat-group-4127-targets-google-accounts …)
Wed, Jan 04 2017 12:50:07
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816627773158649856
Wed, Jan 04 2017 12:50:07
And which countries is our friendly 14 year old hacker interested in? These ones. Remember. This is 1800 gmail accounts *in 2015 alone*. pic.twitter.com/TZ2B2p6bw9
Pwn All The Things @pwnallthethings
·
Wed, Jan 04 2017 12:51:11
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816628038670680068
Wed, Jan 04 2017 12:51:11
Pwn All The Things @pwnallthethings
Is it possible this was all a 14 year old? Sure. Also possible I'm a bridge salesman, and boy have I got a great deal for you today.
Wed, Jan 04 2017 12:53:52
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816628714280800256
Wed, Jan 04 2017 12:53:52
Pwn All The Things @pwnallthethings
When hackers hack at scale, they reuse infrastructure. They make mistakes. This isn't unusual. You can piece the bits together.
Wed, Jan 04 2017 12:57:41
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816629673820114944
Wed, Jan 04 2017 12:57:41
Pwn All The Things @pwnallthethings
And this isn't even the DNC hack. It's just the Podesta one. And it's only one of many different strands in just the public attribution case
Wed, Jan 04 2017 13:03:25
Reply Retweet Favorite
https://twitter.com/pwnallthethings/status/816631120196501504
Wed, Jan 04 2017 13:03:25

2