On Tuesday, Gizmodo published a story about how easy it was to get Trump Administration officials and associates to click a Phishing link. In order to do this, the Gizmodo Special Projects Desk developed a fake Google Docs email, complete with a false sign-in page.
During the elections last November, President Trump and his staff often pointed to the risks associated with Hillary Clinton's personal email server. The campaign was also full of discussions around the DNC hack, which started via a Phishing email.
In my opinion, I think the point Gizmodo was attempting to make with this story is that officials haven't changed their habits. Gizmodo can also argue that the public has a right to know that officials are still clicking potentially dangerous links in their email.
But does it cross a line when a news organization creates a Phishing simulation in order to develop news?
Gizmodo says their actions were a "security preparedness test" and directed emails towards Rudolph Giuliani (Trump cybersecurity advisor) and 14 others who are associated with the Trump Administration, including Newt Gingrich, and James Comey, the former director of the FBI (who was still actively employed at the time of the test).
Gizmodo's test [archive copy] involved spoofing the sender's name to someone the target knew personally, but leaving the return email address intact – in this case it was:
The URL hosting the fake log-in page wasn't a Google domain and it too contained the word test. Moreover, anyone who clicked the sign-in button was directed to a warning notification informing the user they were "the subject of a Gizmodo Media Group Special Projects Desk investigation into your digital security practices."
The news organization also placed text in the email body itself identifying the message as a page "built by Gizmodo Media Group to test your security acumen."
It's been done before:
Gizmodo said a test such as theirs has precedent, citing Red Team engagements conducted by Facebook, and the USB drops performed by the Department of Homeland Security in 2011.
The thing is, Facebook and the Department of Homeland Security were authorized for their Red Team and awareness campaigns. Based on the article, none of the people tested by Gizmodo gave consent or were reasonably informed a news organization might be running Phishing simulations against them.
That's the key when it comes to Red Teams and awareness campaigns, they require permission.
Gizmodo didn't allow anyone to enter credentials, which mirrors actual Phishing simulations performed by some vendors in the space, but that wasn't the point of the story. The point it seems, was to see who clicked, and when.
Gizmodo said the targets were not as careless as the government employees who found USB sticks dropped by the DHS in a parking lot, but "some of them were still too trusting."
"Some of the Trump Administration people completely ignored our email, the right move. But it appears that more than half the recipients clicked the link: Eight different unique devices visited the site, one of them multiple times," Gizmodo reported.
"There’s no way to tell for sure if the recipients themselves did all the clicking (as opposed to, say, an IT specialist they’d forwarded it to), but seven of the connections occurred within 10 minutes of the emails being sent."
The two who did respond to the emails, James Comey and Newt Gingrich, were responding to people they thought they knew. Comey thought he was talking to a personal friend, and Gingrich thought he was talking to his wife. Both questioned the authenticity of the emails.
Gizmodo, based on the wording and account published, ran an unauthorized Phishing simulation against public figures and government officials in order to determine their security posture. This might sound like an awareness test, but it wasn't.
At no point did anyone who clicked the link in the emails receive additional training, or even a notice as to why clicking was the bad choice. Instead, they were told the email was part of a media investigation and that a reporter would be contacting them.
This test by Gizmodo only used a single round of emails. As such, there is no way to properly measure success or failure. After all, the point of awareness training is to change behavior, you can't do that with a single email.
Gizmodo also didn't do any tracking to see who reported the email as Phishing. Then again, they couldn't have tracked this metric, because if the emails were reported, the reports would have gone to the recipient's IT staff.
What Gizmodo actually shows with their metrics is that 8 devices accessed their web page, but they have no idea who was on those devices at the time; that Comey has no problem talking to his friend; and Gingrich will hit reply to a message he believes is from his wife.
The email states that it was a security test, and those who clicked the link were admonished in the story - "always read the fine print."
But the message tacked-on to the fine print only proves that people see what they need to in order to assess an email for context, and decide if they'll take action.
That the return email was spoofed isn't a "got ya" moment either, because if the recipients were using cellphones or tablets, they might not have noticed the reply to address anyway.
But with all their metrics and observations, Gizmodo missed the larger concept I think: Anyone can be Phished.
As mentioned, Gizmodo cited a Department of Homeland Security Red Team engagement as precedent for the security assessment they performed.
It isn't clear if Gizmodo received permission to assess the head of the FBI, the FCC chairman, the White House Press Secretary, among others. If they didn't have that permission, this wasn't an authorized Red Team exercise.
Red Team engagements require permission, planning, coordination, and a strict adherence to scope – or the clearly defined limits as to who and what can be tested, when and how. Some security professionals will argue against scope in a Red Team gig, but few (if any) will argue against the need for permission.
Gizmodo got the story.
Shortly after it was published, security experts and other journalists discussed the topic online.
Some argue that since Gizmodo didn't store any data, the test was valid and important. Others focused on the missing authorization. Most centered on the fact that the results of Gizmodo's test were exactly what they should've been – people fell for Phishing, and this is completely expected.
Failure was the goal here. There was no win for those who received the "security acumen" test. Everyone can be Phished.
The story wasn't about a security test, at least that's not how I see it.
The story was about creating a fake email, sending it to public figures, and reporting on what happened next. If this had been a real security test, I'm not sure you'd get the same article.
Journalists conducting security testing isn't new, but it isn't common either. Years ago, during Black Hat in Las Vegas, three reporters from Global Security Magazine were kicked out of the conference after they sniffed traffic in the press room – something that is strictly forbidden.
While I could craft a Phishing attack and target public figures in order to see who clicks what, I personally don't see the value in that – because other than shaming those who fell for my trick, there is no lesson learned.
"Don't Click S---!" is the motto – but people click all the time. Where's the news in that?
I don't think I could pretend to be someone's wife for the sake of a story either, but that's just me. However, if it was an authorized Red Team engagement, and as part of my job, I was expected to compromise the individual – then yes, as long as I'm within scope, anything goes.
Some comments suggested that Gizmodo violated the AUP/TOS for their upstream providers, or that their test was somehow illegal. I don't think that's the case, and I'm sure Gizmodo's lawyers cleared the story.
My question centers on the impact – did Gizmodo hurt themselves in the long run? Will they have trouble getting access to security professionals, or officials?
That isn't clear, but I'd say it's unlikely. Most reporters don't rely on official access to do their jobs. It's helpful to have PR assistance, but it isn't a requirement.
In the end, what we have is a story about people who fell for weak Phishing attack, which is a problem organizations and security teams the world over deal with on a daily basis.
It isn't news, it's reality.
Phishing is arguably one of the largest problems a network or individual will face online, and there is no easy answer when it comes to dealing with it. No quick fixes. None.
But you know what I observed in the story?
I observed two possible victims questioning what they see, and that is a good habit to form. So in my book, Comey and Gingrich passed the test.