How a simple phishing trick snared Clinton staffer John Podesta

By Bob Sullivan

A simple, decade-old trick likely led to the hacking of critical Hillary Clinton staff members. If John Podesta can fall for it, with the presidential election at stake, so can you. So listen up.

I know I sound like a broken record when I warn people to think before they click, and I know most people think they’ll never fall for silly hacker tricks, but hey, this stuff is important. It very well might have an impact on who gets to be the leader of the free world.

Related video: Anatomy of a “CEO fraud” phishing caper

Information continues to trickle out of hacked emails that come from senior officials in Clinton’s campaign team, including campaign chairman John Podesta. This week brought additional evidence describing how it happened. It was pretty easy.

The Clinton campaign has not commented on reports that part of the email threads released last Friday by WikiLeaks includes discussion about a phishing campaign aimed at Podesta.

It appears that Podesta, and hundreds of other Clinton camp workers, received targeted phishing emails telling them they had to change their password immediately. Of course, workers who fell for the email were led to a look-alike page controlled by hackers.

Part of the reason the dupe worked involved links that used URL-shortening service Bitly, which turns long web addresses into short ones for convenience. Bitly also has the terrible quality of completely obscuring where the clicker is actually going until it’s too late.

For years, I’ve thought this to be a security flaw inherent in link shorteners, and I believe Bitly and other URL shorteners needed to engineer a fix.

In the meantime, you need to know three critical things:

•Bitly links can’t be trusted. Never click on a Bitly link when anything even remotely sensitive is involved.

•Any plea to urgently change your password should be met with serious skepticism. When you decide to do so, always manually type the service’s address into your web browsers and navigate to its password update page. Never click on a link telling you to do so. Even if you’re sure it’s legitimate.

•The presidential election might hang in the balance because of this simple hack. So, yes, anyone can fall for it. You can, too.

(Editor’s note: This article was originally published in

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone