Note: This blog post is a write up of my recent talk at BSides NYC.

Do you remember the 2014 Sony hack, when North Korean hackers hacked into Sony?

Or how about the 2016 hack when Fancy Bear, the Russian hacking group, hacked into John Podesta's email account and leaked all of his Clinton-related emails to WikiLeaks right before the 2016 U.S. presidential election?

Or what about the 2020 hack when Jeff Bezos's personal photos were leaked to the National Enquirer, and then the Enquirer used those photos to blackmail him?

What do these stories all have in common?

They all began with phishing attacks.

In today's blog post, we're going to walk through these three examples, starting from the least sophisticated phishing attack (Podesta) to the most sophisticated (Bezos). And we’ll learn how you can protect yourself from similar hacks happening to you. (Spoiler alert: I built a free anti-phishing plugin to protect people against attacks like this. But more on that later.)

Let's start with the least sophisticated attack.

The John Podesta Email Leak: A Bit.ly Blunder

In 2016, a Russian hacking group wanted to sow discord in the 2016 presidential election, so they decided to target John Podesta, Hilary Clinton’s campaign manager. Here is the actual email that Fancy Bear — the hacking group — sent to Podesta:

Right away, you may notice something weird about this email: if Google wanted you to reset your password, they probably would not send you to a Bitly link. (Bitly happens to be one of the top phishing sites in the world.)

John Podesta is a smart guy: he knew the email looked fishy, so he emailed IT and asked if it was real.

This was the response from Charles Delevan, head of IT:

You read that right: “This is a legitimate email.” (If even IT department heads fall for scams like this, nobody is safe.)

In Delevan’s defense, Delevan’s response email contains the correct google password reset link: myaccount.google.com/security. The problem is that John Podesta went back and clicked the link in his original email: the Bitly link, which redirected to a cloned Google login site. Within seconds of Podesta typing his password into the cloned site, Fancy Bear snagged his password — and soon after, all of his emails too.

So how could this have been prevented? Enter Too Phishy.

Last year, I built a tool called Too Phishy: a Gmail plugin that attaches to your Gmail inbox.

If I could go back in time and force John Podesta to use my plugin prior to getting hacked, here’s what he would have seen when he opened the email from Fancy Bear:

In short, Too Phishy analyzes all the links in an email and highlights the well known phishing sites. Had Podesta used my plugin, Clinton’s emails might have remained safe, she might have won the election, and 2016 wouldn’t have marked the end of democr… nevermind, that’s a blog post for another time…

Now for a medium sophistication attack: the 2014 Sony hack.

Like the Clinton hack, the Sony hack also began with a phishing link.

In 2014, North Korean wanted revenge for Sony’s release of the movie The Interview, a satirical movie that depicted the assassination of Kim Jung Un. So North Korea’s preeminent hacking group, Lazarus Group (also famous for the Bangladesh Bank heist and the WannaCry hack), began a spear phishing attack that targeted Sony executives. This was one of the many phishing emails that Lazarus Group sent to various Sony executives:

Like the Podesta email, Lazarus Group’s email purports to be from a legitimate tech company, Facebook. But you’ll quickly notice that the “Log In” button links to fancug.com, a domain name that is registered in South Korea. That's a red flag; since Facebook is a United States-based company, all of Facebook's “.com” URL domain names should be registered in the United States. Another red flag: fancug.com is not a top million link, i.e. one of the top million most commonly visited websites in the world.

When clicked, the fancug.com link directed the email recipient to a site hosted in South Korea, which, when visited, downloaded malware on the recipient’s computer and initiated a command-and-control relationship with two servers in North Korea.

Knowing this, I designed Too Phishy to show email recipients the country of registration for every link an email. And it also checks if the link is a top million link:

As you’re probably aware, hackers love causing two things: financial damage (usually accomplished by wiping victims’ hard drives), and embarrassment (by leaking personal information). Just like in the Clinton campaign hack, the Sony hackers leaked victims’ personal emails in order to cause maximum embarrassment. Amy Pascal, the executive who had arguably the most cringe-worthy emails, promptly resigned (it’s always the highest-ranking woman who gets fired, isn’t it?).

Ironically, The Interview got so much press from the Sony hack that despite the cancellation of its wide theater release, it still made $40 million, earning back its budget. And, perhaps even more surprisingly, Amy Pascal bounced back to produce the billion-dollar Spider-Man: Homecoming only two years later in 2017 and the Oscar-nominated Little Women in 2019. Take that, Lazarus Group.

And finally, the most advanced attack: the Jeff Bezos hack.

Often, when I speak about Jeff Bezos at conferences, no one has heard about his enormous hacking scandal.

Here are the bare facts of the scandal: Jeff Bezos was (and still is, unfortunately) the owner of The Washington Post. Around the beginning of 2018, Mohammed bin Salman (MBS), the Crown Prince of Saudi Arabia, became frustrated with the Post’s unfavorable coverage of the Middle East. So, as world leaders are wont to do, MBS decided to hack into Bezos’ phone and blackmail Bezos into more favorable coverage.

Thus, after the two met at a party in early 2018, MBS sent Bezos the following WhatsApp message:

MBS then sent a follow-up message to Bezos that contained a video. Embedded within the video was a zero-click exploit — that is, malware that silently installs itself on the recipient device without the recipient needing to click anything – which siphoned all the photos from Bezos’ phone to servers in the Middle East.

Then, suddenly, in January 2019, Bezos and his wife McKenzie Scott announced their divorce. Following the news, the National Enquirer published a cover story that mentioned “the cheating photos that ended his marriage”:

When Bezos saw the article, he knew that someone had hacked his phone.

Now, unlike the other two phishing hacks in this post, the Bezos hack was never investigated by the FBI, so we’ll have to trust the FTI Consulting report that Bezos commissioned.

One month after the Enquirer article was published, Bezos penned this blog post, revealing that he had been hacked and that the National Enquirer was using these hacked photos to blackmail him. He even published the blackmail letter itself, with the itemized list of photos they had stolen from his phone (including a “below the belt selfie”).

How could Bezos have protected himself?

The truth is that if someone is willing to pay a million dollars for a zero-click exploit to get into your phone, it’s pretty hard to stop them. But there’s one obvious thing Bezos could have done: turned off automatic downloads in WhatsApp (in fact, in all of his messaging apps). This would have prevented from the zero click exploit from getting onto his phone in the first place.

Are you thinking, “Eh, I’m not worried about this happening to me. I’m not a billionaire”? Think again: a recent study from iVerify found that seven out of 2,500 investigated phones had similar spyware installed on them, and that those phones belonged to a “cross section of society” — not just billionaires and politicians. Indeed, it’s never a bad idea to install spyware, no matter who you are.

I’m still not convinced. Who cares about phishing anymore? It’s 2025.

When I read cybersecurity news these days, there’s less coverage of phishing than there was ten years ago. Many people think phishing is a solved problem: in 2022, Gmail started requiring domain authentication for bulk email senders; subsequently, they saw a 75% drop in unauthenticated emails. (Microsoft adopted a similar authentication requirement at the same time, and saw a similar drop.) Indeed, according to the FBI Internet Crime Report, phishing dipped slightly in 2022, likely as a result of these bulk email sender authentication measures:

But if you look at the above graph, you probably notice that phishing is still — even in 2023 — five times more common than the next most common internet crime. Hackers can still get people to click links.1 Plus, there are always going to be vulnerable users.

Furthermore, no phishing filter is perfect, because hackers are always innovating and coming up with new tricks for getting email users to click links. As recently as 2022, Gmail’s seemingly impervious phishing filter was found to miss 626 phishing emails per 100,000:

Sure, 626 is a small number, but as we've seen today, it only takes one phishing email for a catastrophe to happen. So stay vigilant! (And install Too Phishy.)