Donald J. Trump @realDonaldTrump

Julian Assange said "a 14 year old could have hacked Podesta" - why was DNC so careless? Also said Russians did not give him the info!

Pwn All The Things @pwnallthethings

Could have hacked? Sure. Did hack? No. Let me go through why not.

So the actual email used to phish John Podesta ended up in the WIkileaks dump. It's here

https://t.co/H6ACVvnOXH
This is a reconstruction of that phishing email. (All of the information is bogus - the mention of Ukraine isn't relevant here)



You can't tell just by looking, but that "Change Password" link doesn't take you to Google. It takes you to Bit.ly.

This link expands to a fake login page (note URL is for a .tk site). This is what Podesta saw when he accidentally gave creds to hackers.



But the hackers screwed up. The hackers weren't hacking one-by-one; so URL contraction wasn't done manually. It was done via the Bitly API.

Using the Bitly API requires you create an account. So the hackers had to create an account. And they forgot to make their account private.

It's no longer possible - the hackers have changed their settings - but before you could simple enumerate ALL of the contracted links.

The Bitly link in John Podesta's email is visible in the Wikileaks dump here https://wikileaks.org/podesta-emails/emailid/36355 …



We can ask Bitly to expand it. This is what it says https://bitly.com/1PibSU0+



Those gobble-de-gook strings aren't encrypted. They're Base64 encoded. In this case, it tells us the link was for john.podesta@gmail.com



Why did the hackers include this info? Same reason they contracted links via API. Because they're not hacking 1-by-1. Are hacking at scale.

This information lets their attack server populate fields to look more authentic (it's why it's able to pre-fill Podesta's name and picture)

But it also means this opsec screw up is bad. Bc we can see the links contracted by the account, we can see all of the spearphishing URLs

And the spearphishing URLs tells us the accounts that were targeted.

How many accounts did this "14 year old" hack? About 1800. In 2015.

Who were these accounts? Mil, govt personnel in the West, defence cos, journos critical of govt in Russia etc



Here's a pie chart of some of the accounts the 14 year old hacker hacked outside of Russian sphere of influence



This 14 year old is apparently an avid reader, given how many authors they're hacking. What are their interests? Another pie chart.



(These pie charts by @SecureWorks I should add, from here: https://www.secureworks.com/research/threat-group-4127-targets-google-accounts …)

And which countries is our friendly 14 year old hacker interested in? These ones. Remember. This is 1800 gmail accounts *in 2015 alone*.



Is it possible this was all a 14 year old? Sure. Also possible I'm a bridge salesman, and boy have I got a great deal for you today.

When hackers hack at scale, they reuse infrastructure. They make mistakes. This isn't unusual. You can piece the bits together.

And this isn't even the DNC hack. It's just the Podesta one. And it's only one of many different strands in just the public attribution case