via CNN Money
NEW YORK (CNNMoney) — The targeted phishing scheme that struck hundreds of top U.S. government officials’ personal Gmail accounts was neither difficult to perform nor incredibly sophisticated.
The attackers were able to pose as legitimate, trusted senders from the State Department, Office of the Secretary of Defense and the Defense Intelligence Agency by sending e-mails from what appeared — even on close inspection — to be real e-mail addresses ending in familiar domains like state.gov, osd.mil and dia.mil.
To accomplish that, the attackers told their mail server to send e-mails from the spoofed addresses rather than their own. Though most e-mail clients like Gmail or Microsoft Outlook don’t allow users to do that, that’s one of the fields an administrator of an e-mail server can easily change.
When that’s done, it’s incredibly difficult or sometimes impossible for a user to know that the sender is really an impostor.
In this case, malicious e-mails were sent with some text and what appeared to be an attachment. According to the Contagio blog, which first discovered the attack in February, one e-mail sent to State Department officials read:
“This is the latest version of State’s joint statement. My understanding is that State put in placeholder econ language and am happy to have us fill in but in their rush to get a cleared version from the WH, they sent the attached to Mike.”