The Democrats are on edge for good reason. They have a little experience with this.
What appeared to be an attempt by hackers to phish Democratic officials and obtain access to the party’s voter file this week turned out to be nothing more than a covert security exercise in Michigan. And while the party line now is that the incident shows how tight security really is—the FBI being called before anyone was tricked into giving up their password—the real credit belongs to a San Francisco-based company that, like the Democratic National Committee itself, was oblivious to what was really going on until less than 24 hours ago.
It’s been one hell of a busy week at Lookout, the mobile security firm that first detected the fraudulent site that was trying to capture login credentials to VoteBuilder, the platform Democrats use to track potential voters. Work at the firm has basically shut down as its security pros are spending most of their time fielding questions from reporters.
“We’ve been on the phone since Monday. We haven’t been able to do much else,” said Clinton Karr, a company spokesperson.
Late Wednesday, the DNC revealed that the attack it had announced earlier in the day was not an attack at all, but a security test performed without its knowledge. Gizmodo confirmed Thursday that the test was carried out by Michigan Democrats who are trying, wisely, to keep staff members on their toes in the face of ongoing digital threats from foreign adversaries. With the help of an outside firm, state party officials created a fake login page on a remote site that could be used to trick campaign staffers into surrendering logins, granting access to the platform used by Democratic candidates at every level—for fundraising activities, to create call lists, to develop canvassing strategies, and more.
What the Michigan Democrats didn’t foresee is the possibility of the fake site being detected by outside security professionals, who would in turn report it to the DNC, which had not been looped in on the exercise. That’s exactly what happened. By the time anyone in Michigan knew what was going on, newspapers nationwide were reporting a federal law enforcement investigation into an alleged attack on the Democratic Party.
Oops.
That the phishing attempt turned out to be fake doesn’t take away from the fact that Lookout, a security firm most consumers have never heard of, not only detected the website but had it shut down in roughly 24 hours. Had the attempt been real, the company would have been recognized for most likely saving the Democrats from a lot of familiar pain.
The system Lookout credits with detecting the fake phishing site was developed based on the research of Jeremy Richards, that company’s principle security intelligence engineer. Roughly a year ago, Richards began researching ways to detect phishing kits as they were launched online. The application responsible for detecting malicious-looking activity targeting the DNC doesn’t yet have a fancy name. It is simply called Phishing AI.
Richards’ background is in reverse engineering threats and he previously focused on examining signatures in network traffic caused by the execution of malware. In his work, Richards discovered a lot of overlap between malware command and control servers and phishing infrastructure, which on occasion could even be found on the same domain.
“I started to learn how phishers deploy and where they deploy,” he said. “I started watching what kind of signals are created, what kind of signals are generated during that process.”
Around August 2017, Richards began coding an application able to detect the deployment of phishing kits online, creating models that could identify and classifying phishing sites in real time as they come online. In most instances, phishing sites are detected only after they’ve served their purpose—after a link has been sent out to dupe someone into coughing up a piece of sensitive information. Then they disappear. By the time a phishing site is logged, it’s usually too late. These are what Lookout calls “sacrificial lamb-based solutions.”
“We’re seeing thousands of phishing sites a day,” Richards said. “And that’s because they have to cycle so quickly to avoid being blocked by traditional means.”
The ways by which Lookout’s AI detects phishing sites is something of a secret. Not only is the application a proprietary product, disclosing too much about how it works would only give bad actors the key to defeat it.
The game Richards plays is cat and mouse. “It’s a game you’re familiar with coming from a malware protection standpoint. It’s not unfamiliar to me,” he says. “The phishing kits when they first came out were typically poorly written, bad copies, written in PHP, and they would either store credentials that were harvested or email them out. And while there’s still plenty of that—thousands per every day, in fact—it definitely trends now toward more sophisticated campaigns.”
For example, phishing attacks today often use one-time links, which make them far more difficult to track. “There’s also been a trend toward encrypting the HTML in the browser and having javascript decrypt it at run-time,” he says. “There’s definitely a lot of work on the phishers side to do obfuscation. And we’ve seen a lot of success in tackling that by analyzing the techniques from multiple angles.”
The messages carrying the phishing links, too, are becoming more sophisticated, relying less on a traditional email, which people have become naturally suspicious of, to carry malicious links. Attackers have expanded significantly into SMS and social media, and are displaying a preference for targeting personal email over corporate. There’s far more reconnaissance involved today, which helps phishers craft unique messages for finely targeted attacks.
Lookout has even seen messages carrying malicious links that tell parents their sons or daughters have been in an accident, using their real names. “The kits have gotten more advanced, they can detect when they’re being analyzed, and the reconnaissance has dramatically improved because of how much our lives are online these days,” says Richards.
When Lookout’s application first launched eight months ago, it was focused on detecting threats that imitated roughly a dozen brands, mostly big ones: Microsoft, Google, and so on. Today, it’s trained to monitor for more than 40. But with all that, it’s still the phishing sites Lookout doesn’t immediately recognize that prove the most interesting. The DNC’s voter file program, for instance, was an unknown. That’s the only reason it bubbled to the top.
It was flagged as high probability phishing, but Lookout’s AI could not by itself tell who or what the site was trying to mimic. This required the developer’s attention. “We saw this domain start to evolve over time. We were able to watch it change from not a phishing kit, to a very poor phishing kit with broken images, to a very sophisticated look alike,” Richard says.
On Thursday, a California-based company called DigiDem confirmed that it had been hired by the Michigan Democratic Party to assist in conducting the test. “As part of that training, we ran tests on the Michigan state party campaign’s internal security measures which tripped an external alarm,” the group’s co-executive director, Alicia Rockmore, told Gizmodo. According to Lookout, DigiDem did a bang up job.
“From the perspective that they were trying to emulate a real phishing attack, they did really well,” said Richards. “Otherwise it would have been very obvious from the beginning.”
While the test was not authorized by the DNC, and sounding a false alarm so loudly is likely to lead to some harsh criticism, the kind of test the Michigan Democrats conducted should be happening more, not less. At a White House briefing not two weeks ago, the nation’s top national security officials cautioned that foreign influence operations and attempts to undermine the country’s election infrastructure are on the rise, not abating simply because there’s now daily news coverage of their efforts.
“Our adversaries are trying to undermine our country on a persistent and regular basis,” warned FBI Director Christopher Wray, “whether it’s election season or not.”