Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday October 21 2016, @04:02PM   Printer-friendly
from the gone-fishing dept.

On March 19 of this year, Hillary Clinton's campaign chairman John Podesta received an alarming email that appeared to come from Google.

The email, however, didn't come from the internet giant. It was actually an attempt to hack into his personal account. In fact, the message came from a group of hackers that security researchers, as well as the US government, believe are spies working for the Russian government. At the time, however, Podesta didn't know any of this, and he clicked on the malicious link contained in the email, giving hackers access to his account.

Months later, on October 9, WikiLeaks began publishing thousands of Podesta's hacked emails. Almost everyone immediately pointed the finger at Russia, who is suspected of being behind a long and sophisticated hacking campaign that has the apparent goal of influencing the upcoming US elections. But there was no public evidence proving the same group that targeted the Democratic National Committee was behind the hack on Podesta—until now.

The data linking a group of Russian hackers—known as Fancy Bear, APT28, or Sofacy—to the hack on Podesta is also yet another piece in a growing heap of evidence pointing toward the Kremlin. And it also shows a clear thread between apparently separate and independent leaks that have appeared on a website called DC Leaks, such as that of Colin Powell's emails; and the Podesta leak, which was publicized on WikiLeaks.

All these hacks were done using the same tool: malicious short URLs hidden in fake Gmail messages. And those URLs, according to a security firm that's tracked them for a year, were created with Bitly account linked to a domain under the control of Fancy Bear.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by butthurt on Friday October 21 2016, @05:36PM

    by butthurt (6141) on Friday October 21 2016, @05:36PM (#417328) Journal
    Going by the image, I tried to type out the malicious link, which looked to me like

    http://myaccount.google.com-securitysettingpage.tk/security/signinoptions/password?e=am9obi5wb2Rlc3RhQGdtYWlsLmNvbQ%3D%3D&fn=Sm9obiBQb2Rlc3Rh&n=Sm9obg%3D%3D&img=Ly9saDQuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1RZVIPbHJkVGp2WS9BQUFBQUFBQUFBSS9BQUFBQUFBQUFCTS9CQIdVOVQ0bUZUWS9waG90by5qcGc%3D&id=1sutlodlwe

    I had trouble distinguishing "I" from "l" because of the font that was used.

    The e parameter is an e-mail address, with John Podesta's name in it, encoded in Base-64.

    The fn parameter is

    John Podesta

    encoded in Base-64.

    The n parameter is

    John

    encoded in Base-64.

    The img parameter is

    //lh4.googleusercontent.com/-QeRlrdTjvY/AAAAAAAAAAI/AAAAAAAAABM/B@U9T4mFTY/photo.jpg

    encoded in Base-64. When I prepended http: to turn that into a URL and tried to retrieve it, there was a 404 error.

    I've probably mistyped the id parameter. I tried a few combinations of "l" and "i" but didn't get valid Base-64. However, when I tried to open a mistyped variation of the google.com-securitysettingpage.tk URL, namely

    http://myaccount.google.com-securitysettingpage.tk/security/signinoptions/password?e=am9obi5wb2Rlc3RhQGdtYWIsLmNvbQ%3D%3D&fn=Sm9obiBQb2Rlc3Rh&n=Sm9obg%3D%3D&img=Ly9saDQuZ29vZ2xldXNlcmNvbnRlbnQuY29tLy1RZVIPbHJkVGp2WS9BQUFBQUFBQUFBSS9BQUFBQUFBQUFCTS9CQIdVOVQ0bUZUWS9waG90by5qcGc%3D&id=1sutlodlwe

      this happened:

    Resolving myaccount.google.com-securitysettingpage.tk (myaccount.google.com-securitysettingpage.tk)... 195.20.46.133
    Connecting to myaccount.google.com-securitysettingpage.tk (myaccount.google.com-securitysettingpage.tk)|195.20.46.133|:80... connected.
    HTTP request sent, awaiting response... 203 Non-Authoritative Information
    Length: 739 [text/html]
    [...]
    Last-modified header missing -- time-stamps turned off.

    I received this document:

    <html>
        <head>
            <title>myaccount.google.com-securitysettingpage.tk</title>
            <meta http-equiv="refresh" content="1; URL=http://domain.dot.tk/p/?d=MYACCOUNT.GOOGLE.COM-SECURITYSETTINGPAGE.TK&i=46.105.100.149&c=33&ro=0&ref=unknown&_=1477068470996"/>
            <script type="text/javascript">
            <!--
                function redir(){ var $fwd = 'http://domain.dot.tk/p/?d=MYACCOUNT.GOOGLE.COM-SECURITYSETTINGPAGE.TK&i=46.105.100.149&c=33&ro=0&ref=unknown&_=1477068470996'; if(window.parent){ window.parent.location=$fwd; }else{ window.location=$fwd; }}
            //-->
            </script>
        </head>
        <body onload="redir()">
            <script language="text/javascript">
            <!--
                window.setTimeout('redir();', 50 * 1);
            //-->
            </script>
        </body>
    </html>
    Starting Score:    1  point
    Moderation   +3  
       Informative=3, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 2) by linkdude64 on Sunday October 23 2016, @08:52AM

    by linkdude64 (5482) on Sunday October 23 2016, @08:52AM (#417789)

    In English for the technoserfs?

    • (Score: 3, Informative) by butthurt on Monday October 24 2016, @03:27AM

      by butthurt (6141) on Monday October 24 2016, @03:27AM (#418026) Journal

      Bit.ly is a URL shortening service. In the Vice Motherboard article there's a picture of a Bit.ly page, showing the expansion of the URL that was sent to John Podesta. The shortened URL is redacted from the picture. I attempted to read that long URL from the picture and type it out. There was some guesswork because the characters "I" and "l" look similar to each other (sorry but I don't know the English word for that).

      When I used the term "Base-64" that was incorrect. It's properly known as "base64url" and it's a means of representing an arbitrary series of bytes as plain text that can be included in a URL. Encoding the victim's name and e-mail address wasn't necessary for any technical reason, but makes it so that information isn't human-readable. Also encoded was something called the "id" which is a few bytes of non-textual information.

      https://tools.ietf.org/html/rfc4648#section-5 [ietf.org]

      It's similar to the Base64 encoding that's commonly used to encode e-mail attachments. If you look at the actual contents of an e-mail with a binary file attached, you're likely to see "Content-Transfer-Encoding: base64" followed by a series of number, upper- and lower-case letters, "+", and sometimes--only at the end-- "=". There's an online encoding/decoding page at motobit.com [motobit.com] (no Javascript needed). If you encode "John" with that page, you'll get Sm9obg== as the result. In a URL, "=" has a special meaning, hence it is escaped [december.com] as "%3D" and the encoded text becomes Sm9obg%3D%3D.

      Have a look at the URL of this page. You're likely to see part of it that looks similar to comments.pl?sid=16108&threshold=-1 which means is that there's a software script called comments.pl that runs on the SoylentNews server; the URL contains information that is passed to the script. In this case, sid is a number (16108) which identifies the story and threshold is a number (-1) indicating the "Threshold" I've chosen for reading comments. That's what I mean by "parameters." The script uses them to generate pages from a database. Similarly, the attacker's server could have generated pages using the parameters in that long URL; presumably it would have presented something along the lines of "John Podesta, you need to log in with your Google password to confirm you wish to opt out of Google+." Because the victim's name and e-mail address are contained in the URL, a database server may not have been needed.

      When I tried to open (my guess at) the URL in a browser, it redirected to http://www.dot.tk [www.dot.tk] which informed me that .tk domains can be registered free of charge. That's convenient for someone doing unsavoury things, because there's no payment to trace.

      • (Score: 2) by linkdude64 on Wednesday October 26 2016, @12:16AM

        by linkdude64 (5482) on Wednesday October 26 2016, @12:16AM (#418778)

        Thank you very much!!!