Threats

It’s hard for campaigns to be transparent without aiding attackers

Op-ed: Transparency is essential to democratic elections. But security is also important to the integrity of the process.

By Joshua Bartolomie

April 14, 2020

Attackers can mine info from the FEC's campaign finance database in order to target presidential campaigns. (Flickr / <a href="https://flic.kr/p/2if1533">Gage Skidmore</a>)

Everyone knows what happened to John Podesta in 2016. Hillary Clinton’s campaign manager clicked on a phishing email, and as far as we know, it was the first time a cyberattack shaped a presidential election.

This time around, the campaigns are more focused on recognizing and stopping phishing attacks. That’s good, because phishing has become way more sophisticated over the last four years, including the painstaking research smart attackers run.

So if we were to see a repeat of 2016, where would hackers conduct their homework? They could look no further than the Federal Election Commission, whose website illustrates how tough it is to balance transparency and security.

The bad guys are looking, too

Check out the FEC’s campaign finance data repository. It enables anyone to see where campaigns are spending their money: They’re required to list individuals, vendors, and others they are paying to support their operations.

The site exists for a laudable reason: financial transparency in support of fair elections. However, all this public information makes it easy for threat actors to customize phishing emails. We’re talking employee, donor, and contractor names, plus software providers, media partners, payroll companies, and so on. And yes, that includes physical and cybersecurity services.

Though it’s true that anyone can find this information, it’s a bounty for today’s sophisticated threat actors. An attacker could, for instance, identify campaign staffers on the website and, using other public sources, discover their email addresses. In maybe an hour’s time, the attacker would have a target list for launching phishing attempts. The attacker might conclude that higher-paid staffers are higher-value phishing targets. Again, a little more reconnaissance would flesh out a target’s identity: job title, responsibilities, and public social media profiles.

Back on the FEC site, the attacker could see which vendors a staffer might use, such as travel services like airlines or hotels. It’s not hard to imagine a phishing email spoofing a hotel chain, complete with logo and corporate typeface. The now defunct Warren for President campaign, for instance, listed Hyatt as a vendor. With a single click on a fraudulent email, malware can be injected to scope a network for sensitive files.

Platforms can also be targets

Attackers could also learn which platforms a campaign uses, then try to exploit known vulnerabilities.

An example: The Trump campaign uses Stripe to process online payments. Time for a new MAGA cap? Some Trump-Pence wrapping paper? Stripe will handle the payment in a matter of seconds. To the best of my knowledge, Stripe does not have any vulnerabilities that can be targeted by attackers. But an enterprising phisher might check to see if it does, along with other platforms the campaign relies on, like its fundraising engines or secure email gateways.

Using what they learn about a campaign’s technology stack, phishers could create an email that has a better chance of getting through and causing serious damage.

Third-party services are notorious for lackluster cybersecurity, especially small businesses (like campaigns) with small security budgets. Say a campaign office in Wisconsin uses a local caterer. A phish disguised as a friendly email, with an innocent-looking invoice attached, might not fool most staffers. But it only takes one. Larger third parties, especially tech providers of SaaS, software, and cloud platforms, offer attackers even more fodder. Who provides the payroll system for the Biden campaign? The email marketing suite for Trump 2020? It’s not hard to find out.

We all need to step up

There are plenty of other sources phishing attackers can mine for intel. Social media is probably the richest lode. Is resistance futile? Not at all. The fallible human beings phishing attackers prey on can also be stout defenders when they learn the right habits. Regular training and healthy skepticism go a long way.

Transparency is essential to democratic elections. But security is also important to the integrity of the process. Ultimately, all of us—whether we’re security professionals, campaign staffers, or both—need to be vigilant. Before you click, verify.

Joshua Bartolomie is the director of Cofense Labs and Cofense Intelligence. He is responsible for translating corporate business strategies, cyber threat landscapes, and related environmental conditions into cutting edge and actionable cybersecurity research.