As the U.S. presidential election nears, anti-phishing solution provider Valimail sounds the alarm on email and domain spoofing attacks that threaten the presidential campaigns and election system manufacturers. Here’s what you need to know.
With just one week to go until Election Day, data from the newly-released report 2020 Election Infrastructure Remains Vulnerable to Email Hacking finds the threat of impersonation-based email phishing attacks that utilize domains involved in the U.S. election is at an all-time high.
Email phishing attacks are at their highest level in three years and the latest research from Valimail, zero trust email security provider spotlights the lack of email authentication standards for email domains associated with the U.S. presidential campaigns, political action committees (PACs), U.S. state and county governments, as well as election system manufacturers.
The report found the 2020 election infrastructure is vulnerable to email hackers and only 3% of state and 7% of top county domains are protected. Some of the unprotected domains include Donaldjtrump.com, GOP.com, Joebiden.com, and the majority of liberal and conservative PACs. Given that most domains were unprotected from email spoofing, Valimail says they could easily be impersonated by hackers pretending to play a role in the election infrastructure.
The data clearly illustrates the need for DMARC which stands for Domain-based Message Authentication, Reporting and Conformance. DMARC is a widely-accepted email authentication policy and reporting protocol that ensures — when implemented with an enforcement policy — that only authorized senders can send email using your domain in the “From:” field of their email messages.
When your domain is configured for DMARC and set to an enforcement policy, email recipients will reject (block from delivery) or quarantine (move to a spam folder) any messages from senders not authorized by your enforcement policy.
“Our latest research continues to underscore that domain security within the U.S. election infrastructure is vulnerable. A best practice to prevent impersonation-based email phishing attacks is to prioritize and adopt DMARC — the industry standard for strong email authentication,” Seth Blank, VP of Standards and New Technologies at Valimail told Toolbox.
Some of the key highlights from the report are:
- Only 15% of campaign and PAC domains are protected with DMARC Enforcement, while 25% have a valid DMARC but is not enforced, 40% have no DMARC, and 10% have an invalid DMARC
- Only 3.3% of U.S. state domains are protected by DMARC, while 22.2% have a valid DMARC but is not enforced, 70.6% have no DMARC, and 3.9% have an invalid DMARC
- Only 7% of the biggest U.S. counties are protected by DMARC, while 26.7% have a valid DMARC but is not enforced, 59.4% have no DMARC, and 7% have an invalid DMARC
- Only 12.5% of election system manufacturers are protected by DMARC, while 37.5% have a valid DMARC but is not enforced, 37.5% have no DMARC, and 12.5% have an invalid DMARC
Impact of Security Oversight on the 2020 U.S. Election
Email spoofing may not seem like a big deal on the surface, as much as election fraud, but that is not to say it won’t be used to carry out malicious misinformation campaigns. Alexander García-Tobar, CEO and co-founder of Valimail says, “Malicious agents could use the essential and pervasive nature of email to spread uncertainty, confusion, misinformation or doubt, which could, in turn, interfere with a free and fair election.”
One such incident occurred just a day before Valimail’s report was published, wherein a white supremacist group Proud Boys threatened Democratic voters. As it turns out, malicious actors from Iran impersonated Proud Boys (Domain: officialproudboys.com) to spread disinformation to hurt the reelection chances of the incumbent President Donald Trump, according to the FBI.
BREAKING: FBI confirms Iran is sending fake emails posing as ‘Proud Boys’ to help Joe Biden
— Jack Posobiec ?? (@JackPosobiec) October 21, 2020
However, Iran denied the allegations via a Swiss envoy (acting as a mediator for U.S. affairs).
— Press TV (@PressTV) October 22, 2020
The low rates of deployment of this open standard among domains involved in elections underscore how a lack of security best practices can derail the election process. “Our message to all domains involved in elections is to check your email authentication and determine your level of protection and vulnerability,” said Blank. “Use 2020 as the catalyst to prepare for future elections — prioritize DMARC enforcement for email and multifactor authentication for all systems,” he added.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) is running a #Protect2020 Rumour Control campaign to thwart malicious attempts by adversaries.
Foreign adversaries attempt to influence U.S. elections by spreading disinformation & undermining your confidence in the electoral process. Our new resource helps you separate election rumors from reality: https://t.co/WHEGHw3Qcj
— Cybersecurity and Infrastructure Security Agency (@CISAgov) October 23, 2020
In a joint (and bipartisan) statement, Senate Select Committee on Intelligence Acting Chairman Marco Rubio (R-FL) and Vice Chairman Mark Warner (D-VA), said, “To the American people and the media, we reiterate the need to be skeptical of sensationalist, last-minute claims about election infrastructure. State, local, and federal officials, and partners in social media and tech, should be proud of joint efforts to shut down Iranian and Russian efforts.”