Accurate, Focused Research on Law, Technology and Knowledge Discovery Since 2002

Report: Hackers use simple trick to target U.S. presidential campaign and government officials

Mashable: “Hacking email accounts doesn’t have to be a sophisticated affair.  We are reminded once again of this fact thanks to a report released Friday by the Microsoft Threat Intelligence Center detailing how a group of hackers targeted the email accounts of journalists, government officials, and the campaign of a U.S. presidential candidate. And here’s the thing, the bad actors didn’t use some fancy 1337 computer skills, but rather employed the oldest trick in the book: the password reset.  According to Microsoft, over a 30-day period in August and September of this year, hackers likely affiliated with the Iranian government went after 241 email accounts and successfully compromised four. The MTIC dubbed the group Phosphorous, and explained how the team operated.  “Phosphorous used information gathered from researching their targets or other means to game password reset or account recovery features and attempt to take over some targeted accounts,” reads the blog post. “For example, they would seek access to a secondary email account linked to a user’s Microsoft account, then attempt to gain access to a user’s Microsoft account through verification sent to the secondary account.” Importantly, MTIC writes that the four compromised accounts were not tied to the U.S. presidential campaign. But, still, this isn’t good.  Password-reset features come in many forms, from questions about where you went to high school or your mother’s maiden name to sending a link or code to a secondary email address or phone number. The former opens victims up to attack by anyone who knows how Google works, while the latter makes your primary email only as secure as your linked secondary email or cell phone…”

Sorry, comments are closed for this post.