How Three Phishing Attacks Resulted in Celebrity Scandal
Note: This blog post is a write up of my recent talk at BSides NYC.
Do you remember the 2014 Sony hack, when North Korean hackers hacked into Sony?
Or how about the 2016 hack when Fancy Bear, the Russian hacking group, hacked into John Podesta's email account and leaked all of his Clinton-related emails to WikiLeaks right before the 2016 U.S. presidential election?
Or what about the 2020 hack when Jeff Bezos's personal photos were leaked to the National Enquirer, and then the Enquirer used those photos to blackmail him?
What do these stories all have in common?



They all began with phishing attacks.
In today's blog post, we're going to walk through these three examples, starting from the least sophisticated phishing attack (Podesta) to the most sophisticated (Bezos). And we’ll learn how you can protect yourself from similar hacks happening to you. (Spoiler alert: I built a free tool called Too Phishy. But more on that below.)
Let's start with the least sophisticated attack.
The John Podesta Email Leak: A Bit.ly Blunder
In 2016, a Russian hacking group wanted to sow discord in the 2016 presidential election, so they decided to target John Podesta, Hilary Clinton’s campaign manager. Here is the actual email that Fancy Bear — the hacking group — sent to Podesta:

Right away, you may notice something weird about this email: if Google wanted you to reset your password, they probably would not send you to a bit.ly link. (Bitly happens to be one of the top phishing sites in the world.)
But John Podesta is a smart guy, and he didn’t immediately click. He knew the email looked fishy, so he emailed IT and asked if he should take the email seriously. And this was the response from Charles Delevan, the head of IT:

You read that right: “This is a legitimate email.” (If even IT department heads fall for scams like this, nobody is safe.) In Delevan’s defense, the link in his response email is correct: myaccount.google.com/security. The problem was that John Podesta went back and clicked the link in his original email: the bitly link, which redirected to a cloned Google login site. Within seconds of Podesta typing in his password on the cloned site, Fancy Bear snagged his password, and soon after, all of his emails too.

So how could this have been prevented?
Enter Too Phishy
Last year, I built a tool called Too Phishy: a Gmail plugin that attaches to your Gmail inbox. (Hey mom, it made the Google Top Rated page!)
If I could go back in time and force John Podesta to use my plugin, here’s what he would have seen when he opened the email from Fancy Bear:
In short, Too Phishy analyzes all the links in an email and highlights the well known phishing sites. Had Podesta used my plugin, Clinton’s emails might have remained safe, she could have won the election, and 2024 wouldn’t have marked the end of democr… nevermind, that’s a blog post for another time…
Now for the medium sophistication attack: the Sony hack.
Like the Clinton hack, the Sony hack began with a phishing link.
Back in 2014, North Korean wanted revenge for Sony’s release of the movie The Interview, a satirical movie that depicted the assassination of Kim Jung Un. So North Korea’s preeminent hacking group, Lazarus Group (also famous for the Bangladesh Bank heist and the WannaCry hack), hacked into Sony via a spear phishing attack that targeted Sony executives. This was one of the many phishing emails that Lazarus Group sent:

Like the Podesta email, this phishing email purports to be from a legitimate tech company, Facebook.
Notice that the “Log In” button links to fancug.com, a domain name that is registered in South Korea. That's a red flag; all of Facebook's URL domain names are registered in the United States. Also, fancug.com is not a well-known Tranco top million link (i.e. a top million most common website on the internet).
The fancug.com link, when clicked, linked to a site hosted in South Korea, downloading malware and initiating a command-and-control relationship between the targeted Sony executive's computer and two servers in North Korea.
So that's another check that Too Phishy does. It checks each link’s country of registration, and it also checks if the link is a top million link:
As you’re probably aware, hackers love two things: causing financially damage (usually by wiping victims’ hard drives), and causing embarrassment (by leaking personal data). In rare cases, hackers will go so far as to leak incriminating emails to the press. Just like in the Clinton campaign hack, that’s what happened here.

Amy Pascal, the executive with the most cringe-worthy emails, promptly resigned amid a flurry of criticism (it’s always the highest-ranking woman who gets fired, isn’t it?).
Ironically, The Interview got so much press from the Sony hack that despite the cancellation of its wide theater release, it still made $40 million, earning back its budget. And perhaps even more surprisingly, Amy Pascal bounced back to produce the billion-dollar Spider-Man: Homecoming only two years later in 2017 and the Oscar-nominated Little Women in 2019.
And finally, the most advanced attack: the Jeff Bezos hack.
Often, when I speak about the Jeff Bezos hack at conferences, no one has heard about it.
Here are the bare facts of the scandal: Jeff Bezos was (and still is) the owner of The Washington Post. Around the beginning of 2018, Mohammed bin Salman, the Crown Prince of Saudi Arabia, became frustrated with the Post’s unfavorable coverage of the Middle East. So, as world leaders are wont to do, MBS – as the crown prince is known – decided to hack into Jeff Bezos’ phone. After the two met at a party, MBS sent Bezos the following WhatsApp message:

MBS then sent a follow-up message to Bezos that contained a video. Embedded within the video was a zero-click exploit — that is, malware that silently installs itself on the recipient device without the recipient needing to click anything – which siphoned personal data from Bezos’ phone to servers in the Middle East.
In January of 2019, Bezos and his wife McKenzie Scott announced their divorce. Following the news, the National Enquirer published a cover story that mentioned “the cheating photos that ended his marriage”:
When Bezos saw the article, he knew someone had hacked his phone.
Now, unlike the other two phishing hacks in this post, the Bezos hack was never investigated by the FBI (they declined), so we’ll have to trust the FTI Consulting report that Bezos commissioned.
The report says that within an hour of Bezos receiving the video message, all of his personal data from his phone was sent to a remote server in the Middle East.
Indeed, one month after the Enquirer article was published, Bezos penned this blog post, revealing that he had been hacked and that the National Enquirer was using these hacked photos to blackmail him. He even published the blackmail letter itself, with the itemized list of photos they had stolen from his phone (including a “below the belt selfie”).
“If in my position I can’t stand up to this kind of extortion, how many people can?”
- @jeffreypbezos
How could Bezos have protected himself?
The truth is that if someone is willing to pay a million dollars for a zero-click exploit to get into your phone, it’s pretty hard to stop them. But there’s one obvious thing Bezos could have done: turned off automatic downloads in all of his messaging apps.
And if you’re thinking, “No one’s going to pay a million dollars to hack me, I’m not a billionaire,” think again: a recent study from iVerify found that seven out of 2,500 investigated phones had similar spyware installed on them, and that those phones belonged to a “cross section of society” — not just billionaires and politicians. So another thing you can do is download spyware detection software like iVerify.
Who cares? It’s 2025. Isn’t phishing dead?
When I read cybersecurity news these days, there’s less coverage of phishing than there was ten years ago. Many people think phishing is a solved problem: in 2022, Gmail started requiring domain authentication for bulk email senders; subsequently, they saw a 75% drop in unauthenticated emails. (Microsoft adopted a similar authentication requirement at the same time.) Indeed, according to the FBI Internet Crime Report, phishing dipped slightly in 2022, likely as a result of these measures:

But if you look at the above graph, you probably notice that phishing is still — even in 2023 — five times more common than the next most common internet crime.
Hackers can still get people to click links.1 Plus, there's always going to be vulnerable users. Phishing is still alive and well. In fact, as recently as 2022, Gmail still misses 626 phishing emails per 100,000:

Sure, 626 is a small number, but as we've seen today, it only takes one phishing email for a catastrophe to happen. So stay vigilant! (And install Too Phishy.)
In fact, SPF and DKIM are actually kind of easy to get around. Just look at the lookalike attack email example from Reply All, when one of the employees of Gimlet Media tricks the CEO into clicking a phishing email by sending him an email from replyall@girnletmedia.com (because the “r” and “n” in “girnelt” look like an “m” in email provider font).