US presidential candidates face phishing threat in '08

Attacks could divert contributions to opponent's campaign, says researcher

Phishing attacks that harvest credit card numbers or divert online contributions to an opponent's campaign pose the most danger to the Web operations of 2008's presidential candidates, a security researcher said.

"The threat that poses the most danger now is what has posed the most danger in the past," said Oliver Friedrichs, the director of Symantec's security response team and a writer on electoral cybercrime. "Phishing is the most significant problem now, and it has the potential to disrupt campaigns or even competing campaigns."

Not only are candidates' campaign Web sites prime targets for phishers -- the criminals could create bogus sites posing as the real deal to harvest contributors' credit card and bank account numbers -- but they could be victimized by radical followers of their opponent. "A phishing site could impersonate [the site of] one candidate, say Hillary Clinton, but actually submit the donation to another candidate, Rudy Giuliani, for example," said Friedrichs. "It might be very unlikely that a campaign would do something like this, but it could be launched by individuals who already consider themselves criminals, or by radicalized voters."

Even though the dollar amounts of such a steal-from-Hillary-to-pay-Rudy attack might be small, Friedrichs thinks there would be substantial fallout. "The diversion of donations like that has the potential to undermine the confidence in the online donation concept," he said.

In 2004, only two phishing attacks were detected that exploited the presidential election, Friedrichs said, both against the Kerry-Edwards campaign. In one instance, phishers set up a fictitious site shortly after the Democratic National Convention to supposedly solicit donations, although the criminals' goal was to gather credit card numbers and other personal information. In the second, phishers set up a site asking contributors to phone a for-fee 1-900 number that charged callers US$1.99 a minute.

It's likely that the 2008 campaign will see a much larger number of election-oriented phishing campaigns. Phishing posed only a "marginal risk" in 2004, in part because the scam was small-scale compared to today but also because presidential campaigns had only begun to move online in search of contributions. Today phishers are more capable and candidates more dependent on the Internet.

"We've seen phishing against candidates in the past," said Friedrichs, "and we should expect to see it during this campaign."

One thing that could make phishers' crimes even easier is the large number of domains that are just a typo away from an actual candidate's campaign Web site, Friedrichs argued. Using specialized tools, Friedrichs generated possible typo domains -- "mitrromney.com" rather than the intended "mittromney.com", for example -- and analyzed domain registration records.

"Many of the typo domains were not registered by the candidates proactively," said Friedrichs. "Only one candidate [Mitt Romney] had registered a typo domain, and then only one domain. Every other candidate had not taken precautions."

Phishers could exploit typo domains, as well as what Friedrichs called "cousin" domains -- expanded versions of a candidate's actual domain, such as "presidentbarackobama.com" -- to trick contributors into clicking on links in e-mail messages.

But other kinds of profiteering is also not only possible with typo domains, but already in action, according to Friedrichs. Most typo domains, he said, are used to host ads, most often contextual ads. On some typo domains -- courtesy of ad syndicates or keyword purchasing -- the ads are in fact from the candidate whose domain has been abused. "The candidate is paying to have their ads displayed on the typo squatter's Web site. Candidate are paying for their own typo sites," said Friedrichs.

"Candidates and their campaigns are only beginning to understand the risks and have yet to take the necessary precautions in order to protect themselves," he concluded. "Our fear is that a true appreciation of the required countermeasures will not be realized until these attacks do in fact manifest themselves."

A draft of Friedrichs' chapter for the upcoming book Crimeware has been posted to Symantec's Web site, and includes sections on other threats to the electoral process, ranging from malicious code to Internet-based dirty tricks.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Gregg Keizer

Gregg Keizer

Computerworld
Show Comments

Essentials

Mobile

Exec

Sony WH-1000XM4 Wireless Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?