Tech blog Gizmodo recently conducted an experiment intended to find out how easy it would be to phish members of President Donald Trump’s administration.
Gizmodo’s “Special Projects Desk” sent emails to 15 members of the Trump administration that looked as though they came from someone the recipient knew. Targets included informal presidential advisor Newt Gingrich, former FBI director James Comey, cybersecurity advisor Rudy Giuliani, FCC chairman Ajit Pai, White House press secretary Sean Spicer, and White House advisor Perter Thiel, among others.
“We sent them an email that mimicked an invitation to view a spreadsheet in Google Docs,” Gizmodo explained. “The emails came from the address firstname.lastname@example.org, but the sender name each one displayed was that of someone who might plausibly email the recipient, such as a colleague, friend, or family member.”
A link in the message took people to what looked like a Google sign-in page asking them to enter their Google credentials. Gizmodo said the URL of the page included the word “test” and the page “was not set up to actually record or retain the text of their passwords, just to register who had attempted to submit login information.”
Eight different devices visited the bogus site, but it’s impossible to know whether the recipients themselves clicked the link, or forwarded the message to IT specialists who did, Gizmodo said. Two of the targets – Gingrich and Comey — replied to the message questioning its validity; no one entered their passwords.
A careful observer would have been able to tell that the message was bogus. The fake Google sign-in page included a message at the bottom saying it was “built by Gizmodo Media Group to test your digital security acumen.”
If you’re sitting there wondering if this experiment was even legal, you’re not the only one. According to Ars Technica, the test may have violated several federal, state, and local laws. “At a minimum, Gizmodo danced along the edges of the Computer Fraud and Abuse Act (CFAA),” the site argues, pointing to the fact that Gizmodo ignored “many of the restrictions usually placed on similar tests by penetration-testing and security firms.”
The Executive Editor of Gizmodo’s Special Projects Desk, John Cook, said his team took precautions to stay within the law.