The type of email attacks that helped derail Hillary Clinton’s presidential bid during the 2016 presidential election cycle could be a prelude to the aggressive tactics we may see in 2020—and new data suggests early candidates and their campaigns aren’t ready to defend themselves.
According to analysis captured in the Email Fraud and Identity Deception Report from the Agari Cyber Intelligence Division (ACID), the majority of early presidential front runners are susceptible to phishing attacks against their campaign staff and to email scams that impersonate their donors, voters, and the media—both foreign and domestic.
These vulnerabilities have to be remedied fast as the 2020 election cycle shifts into high gear. If past experience tells us anything, there is little doubt that cybercriminals and nation-state actors will seek to derail political enemies, defraud voters, and undermine US democracy.
It was only three years ago when John Podesta, Hillary Clinton's campaign chairman, fell victim to what appeared to be a legitimate "account alert" from his email provider—Google. The malicious link within that email, and the resulting propagation of damaging campaign emails by WikiLeaks, helped quash Clinton's candidacy.
As far as campaign email security goes little has changed in the last three years. What has changed, though, is the increasing sophistication of a new generation of email threats that can easily bypass the security controls most early presidential contenders currently have in place—and can even impersonate the campaign to embarrass or discredit the candidate. This approach is how cybercriminals turn the tide of public opinion and sway election outcomes.
Infiltrating the Inbox, Tilting the Ballot Box
In the first section of his report on foreign interference in the 2016 presidential election, Robert Mueller's investigators squarely point to spear phishing as the primary avenue of attack for Russian hackers seeking to gain access to their target's email credentials or other sensitive information.
The investigation found that the GRU, Russia's foreign military intelligence unit, gained access to at least one election computer network in Florida that could have resulted in voter data being altered, beyond Clinton and the DNC. And while the 2018 midterms saw fewer such incidents, the National Republican Congressional Committee (NRCC) was successfully breached and the email accounts of four top NRCC aides compromised.
What comes next could be far worse. Today, 83 percent of the top candidates rely solely on the security controls built into their email platforms—almost exclusively Gmail and Microsoft Office 365. The good news is that these controls have advanced to the point where they can weed out the kind of malicious links and malware to which Podesta fell victim. The bad news is that they're utterly defenseless on their own against today's most advanced forms of phishing.
Instead of relying on malware or malicious links, these attacks leverage display name deception, look-alike domains, hijacked email accounts, and other techniques to masquerade as trusted sources. And they involve socially-engineered email messages designed to manipulate recipients into revealing their login credentials for email and other sensitive systems before they realize they're being conned. Unfortunately, these malign email messages reach inboxes undetected by email platform-based security controls.
Take what could be a typical scam launched from the spoofed or compromised account of a trusted advisor, polling firm, or senior campaign official. A simple request to forward voter data or pay a vendor could easily fool overextended campaign staffers and consultants on the go. And unfortunately, that's not even the worst form of attack headed their way.
Campaign Impersonation: DMARC in the Danger Zone
Now imagine email attacks targeted not at campaign staffers, but rather at donors, voters, or the press. What kind of damage could be done if fake news or misrepresented policy positions are emailed from spoofed email accounts that appear to belong to senior campaign officials—or even the candidates themselves? Or if an email appearing to come from the campaign is sent, encouraging the public to donate to the campaign through a fake website, run by these cybercriminals?
And what happens when the negative publicity from phishing attacks leads constituents to avoid opening a campaign's legitimate email messages? With an average ROI of $38 for every $1 spent, this is a digital channel no campaign can afford to see crippled. But analysis of domain data indicates only one campaign has fully implemented Domain-based Message Authentication, Reporting and Conformance (DMARC) at Reject, the standard email authentication protocol needed to block email-based impersonation attacks from ever reaching their targets.
DMARC has been available for nearly seven years, and is required of all Executive Branch Federal government agencies. Our own history of protecting the Federal government includes keeping the Department of Treasury, the Department of Health and Human Services, the US Postal Service, and other agencies safe from email impersonation attacks targeting other agencies and the public.
In most implementations, organizations can see thousands or even millions of monthly impersonation scams drop to zero within weeks. No campaign should try to do without DMARC—especially if voter safety is their top concern.
The Path to Victory Starts with Protection
Despite reports that campaigns are starting to ramp up cybersecurity, as of May 1, only two presidential campaigns have any advanced email security solutions in place to guard against attack. Former Massachusetts Governor and Republican primary challenger Bill Weld, along with Democratic candidate and current Massachusetts Senator Elizabeth Warren have augmented the security controls provided by their email platform providers with advanced protection against phishing targeting campaign staffers. On the flip side, only Senator Warren has implemented the DMARC policy needed to protect voters, donors, and the press from fraud.
Given the enormous importance of the email channel in campaign communications, fundraising, and more, Agari has created the first and only 2020 Presidential Campaign Email Threat Index to measure progress in deploying advanced email security solutions among the top US presidential candidates with a polling average of more than 1%, as according to Real Clear Politics.
United We Stand
Chances are, 2016 was just a warm-up act. In 2020, the battle to protect the inbox isn't just about individual candidates or parties, red states or blue states, the Electoral College or the popular vote. It's about defending the underpinnings of our system and democracy itself. As you can tell by now, Agari is all in on that fight. We hope you are too.
To learn more about the state of email security among 2020 presidential candidates and emerging trends in phishing and other threats, download the Email Fraud & Identity Deception Report.