http://www.informationweek.com/story/showArticle.jhtml?articleID=202401113
InformationWeek
Oct. 10, 2007
Cybercriminals
Could Steal Elections, Security Researcher Warns
Risks include the dissemination of misinformation, fraud,
phishing, malicious code, and the invasion of privacy, according to Symantec
analysts.
By Thomas Claburn,
InformationWeek
Cybercriminals could imperil the 2008 presidential election
and the U.S political process, according to a forthcoming book.
Titled Crimeware and edited by Markus Jakobsson, a professor
at the Indiana University School of Informatics, and Zulfikar Ramzan, senior
principal security researcher with Symantec, the book details various forms of
cybercrime. It is scheduled for publication in February.
The book's 10th chapter, Cybercrime and the Electoral
System, by Oliver Friedrichs, director of emerging technologies at Symantec
Security Response, explores the risks cybercrime poses to U.S. elections.
"It is important to understand the associated risks as
political candidates increasingly turn to the Internet to more effectively
communicate their positions, rally supporters, and seek to sway critics,"
writes Friedrichs. "These risks include among others the dissemination of
misinformation, fraud, phishing, malicious code, and the invasion of privacy.
Some of these attacks, including those involving the diversion of online
campaign donations have the potential to threaten voters' faith in our
electoral system."
In a phone interview, Friedrichs said that he believes the
threat is significant and pointed to past elections that have felt the effects
of cybercrime. "In 2004, phishers targeted the Kerry-Edwards campaign,
which at the time was really seen as one of the campaigns that led the way in
using the Internet to communicate with constituents."
There were at least two phishing attacks that targeted that
campaign, said Friedrichs. One of them was a fairly traditional attack that
tried to solicit money in the name of the candidates. The other tried to
convince recipients of phishing e-mails to call a 900 number. Calling the
number resulted in an unexpected $1.99 charge.
"Four years later, it's a much different time,"
said Friedrichs. "Phishing itself has grown into an epidemic, and we see
over 1,000 phishing campaigns every single day. So the potential for phishing
to manifest itself is fairly high."
That's demonstrated by the high number of typo domains that
have been registered. Such sites receive traffic from Web visitors who misspell
or mistype legitimate campaign Web site addresses. They may also serve as a
place to direct visitors duped by phishing messages and as a launchpad for
security exploits.
Symantec has identified 58 typo domains related to Hillary
Clinton's official Web site, 52 related to Barak Obama's official Web site, 34
related to John Edwards' official Web site, 20 related to John McCain's
official Web site, and 18 related to Mitt Romney's official Web site. The research
did not indicate why Democratic candidates have been more heavily targeted by
typo squatters than Republican candidates.
As to the possibility that legitimate politicians might try
to gain an advantage by enlisting cybercriminals, Friedrichs said, "We
haven't seen that yet and we certainly hope we don't see it." According to
the book, most of the typo sites appear to have been set up to earn ad dollars
using the candidates' names rather than to place a particular person in office.
It's also worth noting that some typo sites are satirical in nature and are
thus constitutionally protected free speech rather than attempts to dupe or
defraud voters.
Yet, Friedrichs cautions, extremists unaffiliated with a
particular campaign might try to attack a campaign's opponents online.
"What we have seen in the past is denial-of-service attacks against
candidate Web sites," he said. "For example, in 2006, we saw attacks
against the Joe Lieberman Web site, Joe2006.com, and that site was taken
offline for some time. ... As a result, the e-mail system for the campaign was
unavailable."
To date, there's no evidence to suggest that cybercriminals
have altered the outcome of an election. "We have not seen an attack that
has had a meaningful impact on the outcome of an election yet," explained
Friedrichs.
But the impact of cybercrime on the electoral process need
not be that severe to be troubling. "We do believe that tactics that we
see in the physical world like voter intimidation and deception are likely to
manifest themselves in the cyberworld as well," said Friedrichs.
One of the possible attacks that concerns Friedrichs is the
diversion of funds. "For example, if I'm a phisher, I can set up a
phishing site or a typo site and a victim coming to that site may believe he's
contributing a donation to one particular candidate, but on the back end we can
actually redirect that transaction to a completely different candidate. So
essentially, the victim would be donating to their candidate's opponent. And
that has the potential to really cause voters to lose faith in the online
donation system as a whole."
All 17 of the 2008 presidential candidates researched by
Symantec accept online donations, according to Friedrichs.
As to how such issues might be dealt with, Friedrichs doubts
legislation will help. Laws like the Can-Spam Act, he said, haven't had a
meaningful impact on the distribution of spam.
"There are already a number of countermeasures that
campaigns can leverage," said Friedrichs. "What we find is that many
of [the politicians], being relatively new to the Internet, really haven't
become aware of the best practices they should be taking. One of the goals here
is to raise awareness of those best practices."
Copyright © 2007 CMP Media LLC