Here’s the trivial trick used to ‘hack’ Clinton campaign emails; if Podesta can fall for it, you can too

Wikileaks. The alleged email that led to compromise of John Podesta's account.
Wikileaks. The alleged email that led to compromise of John Podesta’s account.

A simple, decade-old hacker trick likely led to the hacking of critical Hillary Clinton staff members. If John Podesta can fall for it, with the Presidential election at stake, so can you. So listen up.

I know I sound like a broken record when I warn people to think before they click, and I know most people think they’ll never fall for silly hacker tricks, but hey, this stuff is important.  It very well might have an impact on who gets to be the leader of the free world.

Information continues to trickle out of hacked emails that come from senior officials in Hillary Clinton’s campaign team, including campaign chair John Podesta. This week brought additional evidence describing how it happened.

It was pretty easy.

It appears that Podesta, and hundreds of other Clinton camp workers, received targeted phishing emails telling them they had to change their password immediately.  Of course, workers who fell for the email were led to a look-alike page controlled by hackers.  Part of the reason the dupe worked involved links that used of URL-shortening service Bitly, which turns long web addresses into short ones for convenience. Bitly also has the terrible quality of completely obscuring where the clicker is actually going until it’s too late.  For years, I’ve thought this to be a security flaw inherent in link shorterners, and I believe Bitly and other URL shorteners needed to engineer a fix.

In the meantime, you need to know three critical things:

A) Bitly links can’t be trusted; never click on a Bitly link when anything even remotely sensitive is involved

B) Any plea to urgently change your password should be met with serious skepticism. When you decide to do so, always manually type the service’s address into your web browsers and navigate to its password update page. NEVER click on a link telling you to do so. Even if you are sure it’s legitimate.

C) The presidential election might hang in the balance because of this simple hack. So, yes, anyone can fall for it. You can too.

The Bitly link
The Bitly link

Back in June, SecureWorks published a pretty convincing research paper that reconstructed the careful attack on the Hillary Clinton Presidential Campaign.  Analyzing data left publicly available on a Bitly account, it found evidence of thousands of spear phishing emails targeting election officials between March and June of this year.    The targets included: national political director, finance director, Director of strategic communications, and so on.

For example, 213 links were created targeting 108 email addresses at The hackers succeeded again and again: “20 of the 213 short links have been clicked as of this publication. Eleven of the links were clicked once, four were clicked twice, two were clicked three times, and two were clicked four times,” the report says.

The group also targeted personal Gmail accounts belonging to campaign officials.  This produced plenty of hits, too.

“They include the director of speechwriting for Hillary for America and the deputy director office of the chair at the DNC,” the report says. “(The hackers) created 150 short links targeting this group. As of this publication, 40 of the links have been clicked at least once.”

Clicking on a link does not mean the clicker subsequently entered login information and fell for the scam.  But the high click rate certainly suggests some victims did. So does the timing of all this; The DNC hack was revealed in June, weeks after this spear phishing campaign.

Release last week of what appears to be the actual email that led to the hacking of Podesta’s email on Wikileaks — sorry for the circular reasoning there — seems to confirm SecureWorks’ analysis.  An email sent to appears to come from Google and wants that someone located in the Ukraine had tried to access his account.

“Google stopped this sign-in attempt. You should change your password immediately,” it says. “CHANGE PASSWORD.”  And there’s a link headed for

Click on that Bitly link, and you are today brought to a warning page saying there “might be a problem with the requested link.”  A bit too late for Podesta and the Clinton campaign.

The ultimate destination for that link appears to be Google, but it’s not. Instead, it sends visitors to a web site at

An IT worker for the Clinton campaign ominously comments in the thread posted at Wikileaks that “this is a legitimate email,” though to his credit, he leaves instructions to visit Google at the correct link to change the password.

Then, ironically, he offers this call to action:

“Does JDP (John Podesta) have the 2 step verification or do we need to do with him on the phone? Don’t want to lock him out of his in box!”

If only a locked inbox were the biggest email problem Podesta had.


If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.

Don’t miss a post. Sign up for my newsletter

About Bob Sullivan 1524 Articles
BOB SULLIVAN is a veteran journalist and the author of four books, including the 2008 New York Times Best-Seller, Gotcha Capitalism, and the 2010 New York Times Best Seller, Stop Getting Ripped Off! His latest, The Plateau Effect, was published in 2013, and as a paperback, called Getting Unstuck in 2014. He has won the Society of Professional Journalists prestigious Public Service award, a Peabody award, and The Consumer Federation of America Betty Furness award, and been given Consumer Action’s Consumer Excellence Award.

3 Trackbacks / Pingbacks

  1. This email prankster fooled Scaramucci, other Trump pols. It’s not funny — he’d probably fool you, too –
  2. Don’t be the next Anthony Scaramucci: Email prankster’s hoax shows how all of us are vulnerable – rareintro
  3. Here’s how the latest Russian election hack worked, and why you should never click on email links. Never. –

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.