[ISN] Cybercriminals Could Steal Elections, Security Researcher Warns

From: InfoSec News (alerts@private)
Date: Wed Oct 10 2007 - 22:14:34 PDT


http://www.informationweek.com/news/showArticle.jhtml?articleID=202401113

By Thomas Claburn
InformationWeek
October 10, 2007

Cybercriminals could imperil the 2008 presidential election and the U.S 
political process, according to a forthcoming book.

Titled Crimeware [1] and edited by Markus Jakobsson, a professor at the 
Indiana University School of Informatics, and Zulfikar Ramzan, senior 
principal security researcher with Symantec (NSDQ: SYMC), the book 
details various forms of cybercrime. It is scheduled for publication in 
February.

The book's 10th chapter, Cybercrime and the Electoral System [2], by 
Oliver Friedrichs, director of emerging technologies at Symantec 
Security Response, explores the risks cybercrime poses to U.S. 
elections.

"It is important to understand the associated risks as political 
candidates increasingly turn to the Internet to more effectively 
communicate their positions, rally supporters, and seek to sway 
critics," writes Friedrichs. "These risks include among others the 
dissemination of misinformation, fraud, phishing, malicious code, and 
the invasion of privacy. Some of these attacks, including those 
involving the diversion of online campaign donations have the potential 
to threaten voters' faith in our electoral system."

In a phone interview, Friedrichs said that he believes the threat is 
significant and pointed to past elections that have felt the effects of 
cybercrime. "In 2004, phishers targeted the Kerry-Edwards campaign, 
which at the time was really seen as one of the campaigns that led the 
way in using the Internet to communicate with constituents."

There were at least two phishing attacks that targeted that campaign, 
said Friedrichs. One of them was a fairly traditional attack that tried 
to solicit money in the name of the candidates. The other tried to 
convince recipients of phishing e-mails to call a 900 number. Calling 
the number resulted in an unexpected $1.99 charge.

"Four years later, it's a much different time," said Friedrichs. 
"Phishing itself has grown into an epidemic, and we see over 1,000 
phishing campaigns every single day. So the potential for phishing to 
manifest itself is fairly high."

That's demonstrated by the high number of typo domains that have been 
registered. Such sites receive traffic from Web visitors who misspell or 
mistype legitimate campaign Web site addresses. They may also serve as a 
place to direct visitors duped by phishing messages and as a launchpad 
for security exploits.

Symantec has identified 58 typo domains related to Hillary Clinton's 
official Web site, 52 related to Barak Obama's official Web site, 34 
related to John Edwards' official Web site, 20 related to John McCain's 
official Web site, and 18 related to Mitt Romney's official Web site. 
The research did not indicate why Democratic candidates have been more 
heavily targeted by typo squatters than Republican candidates.

As to the possibility that legitimate politicians might try to gain an 
advantage by enlisting cybercriminals, Friedrichs said, "We haven't seen 
that yet and we certainly hope we don't see it."

According to the book, most of the typo sites appear to have been set up 
to earn ad dollars using the candidates' names rather than to place a 
particular person in office. It's also worth noting that some typo sites 
are satirical in nature and are thus constitutionally protected free 
speech rather than attempts to dupe or defraud voters.

Yet, Friedrichs cautions, extremists unaffiliated with a particular 
campaign might try to attack a campaign's opponents online. "What we 
have seen in the past is denial-of-service attacks against candidate Web 
sites," he said. "For example, in 2006, we saw attacks against the Joe 
Lieberman Web site, Joe2006.com, and that site was taken offline for 
some time. ... As a result, the e-mail system for the campaign was 
unavailable."

To date, there's no evidence to suggest that cybercriminals have altered 
the outcome of an election. "We have not seen an attack that has had a 
meaningful impact on the outcome of an election yet," explained 
Friedrichs.

But the impact of cybercrime on the electoral process need not be that 
severe to be troubling. "We do believe that tactics that we see in the 
physical world like voter intimidation and deception are likely to 
manifest themselves in the cyberworld as well," said Friedrichs.

One of the possible attacks that concerns Friedrichs is the diversion of 
funds. "For example, if I'm a phisher, I can set up a phishing site or a 
typo site and a victim coming to that site may believe he's contributing 
a donation to one particular candidate, but on the back end we can 
actually redirect that transaction to a completely different candidate. 
So essentially, the victim would be donating to their candidate's 
opponent. And that has the potential to really cause voters to lose 
faith in the online donation system as a whole."

All 17 of the 2008 presidential candidates researched by Symantec (NSDQ: 
SYMC) accept online donations, according to Friedrichs.

As to how such issues might be dealt with, Friedrichs doubts legislation 
will help. Laws like the Can-Spam Act, he said, haven't had a meaningful 
impact on the distribution of spam.

"There are already a number of countermeasures that campaigns can 
leverage," said Friedrichs. "What we find is that many of [the 
politicians], being relatively new to the Internet, really haven't 
become aware of the best practices they should be taking. One of the 
goals here is to raise awareness of those best practices."

[1] http://www.amazon.com/exec/obidos/ASIN/0321501950/c4iorg
[2] http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/cybercrime-electoral-system.pdf


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Wed Oct 10 2007 - 22:40:10 PDT