Yesterday, at approximately 4:50 MST, “donaldtrump.com” was defaced, and a set of dubious messages was posted. The hackers accused the U.S. President of spreading fake news and claim to have gained access to internal and secret conversations between Trump and his relatives. They also claim to have evidence of Trump’s criminal involvement and cooperation with foreign actors who are looking to manipulate the upcoming elections.
The hackers have posted two Monero wallet addresses to serve as a way for the website visitors to vote if they should share the information they allegedly have or not. To add some legitimacy to their claims, the actors also included a PGP key on the defacement message, supposedly to be used on the information disclosure stage.
The key corresponds to an email address that doesn’t even exist, so you can get an idea of how reliable these claims are. The defacement message looks completely phony, and its sole purpose is to help the hackers grab some crypto that is hard to trace and call it a day.
The main thing here is how the intruders managed to break in, and while there’s no official explanation, there are several potential scenarios. First, it is possible that the hackers had the credentials required to log into the admin panel of the Expression Engine CMS. Another possibility is that the hacker signed in to the admin’s Cloudflare account, changing the settings to point to a different IP address that was under their control.
Related: Trump-Themed Phishing Campaign Demonstrates Hacker Reflexes
Other scenarios that are less likely include server hacking via FTP or SSH, the exploitation of a zero-day vulnerability on the Expression Engine CMS, and the changing of the domain nameservers at the registrar through social engineering.
Whatever really happened, it surely took place without having to worry about a two-factor authentication step. If the admin had set up an MFA wall, the actors wouldn’t have been able to deface the campaign website even if they held valid credentials.
As for Trump and the political campaign, the disruption from this incident was minimal really, but still damaging for the current President of the United States who has recently showcased his poor understanding of how cybersecurity works.