The NY Times has a long piece about how the Russians apparently hacked the DNC and then John Podesta. There are several Keystone Kops moments (some lowlights by AllahP at Hot Air), but this has captured my attention:
Hundreds of similar phishing emails were being sent to American political targets, including an identical email sent on March 19 to Mr. Podesta, chairman of the Clinton campaign. Given how many emails Mr. Podesta received through this personal email account, several aides also had access to it, and one of them noticed the warning email, sending it to a computer technician to make sure it was legitimate before anyone clicked on the “change password” button.
“This is a legitimate email,” Charles Delavan, a Clinton campaign aide, replied to another of Mr. Podesta’s aides, who had noticed the alert. “John needs to change his password immediately.”
With another click, a decade of emails that Mr. Podesta maintained in his Gmail account — a total of about 60,000 — were unlocked for the Russian hackers. Mr. Delavan, in an interview, said that his bad advice was a result of a typo: He knew this was a phishing attack, as the campaign was getting dozens of them. He said he had meant to type that it was an “illegitimate” email, an error that he said has plagued him ever since.
The Times links to the relevant Wikileaked email, which reads as follows:
This is a legitimate email. John needs to change his password immediately, and ensure that two-factor authentication is turned on his account...
Now, call in the forensic team, because we have an "a" / "an" problem. These two phrases are grammatically correct:
(1) This is a legitimate email, or
(2) This is an illegitimate email.
But that is a heck of a typo if he truly intended to write "This is a illegimate email". What are kids being taught in school these days?
But To Be Fair, the grammatically challenged techie continued with good advice in the fateful email:
He can go to this link: https://myaccount.google.com/security to do both.
It is absolutely imperative that this is done ASAP. If you or he has any questions, please reach out to me at 410.562.9762
He did NOT advise them to click on the link in the suspect email, but instead directed them to the known Google website. He was very probably thinking "This is a legitimate problem" and presented a sensible solution.
Had he been a bit more verbal, or the recipient a bit more tech-savvy, history would have changed! Oh, well - as PT Barnum nearly said, no one ever went broke underestimating the intelligence of DNC staffers.
My advice for anyone pondering an email and wondering whether it is a phishing attempt comes from the classic Ronin, delivered by Robert DeNiro: "Whenever there is any doubt, there is no doubt."
The risk-return of experimenting with a dubious email link is hopelessly unfavorable. If the underlying message seems plausible, make your own way to the appropriate website, ignoring any seemingly-helpful links provided in the email.
Make America's Emails Great Again!