- Election-related domains are 56% more likely to be malicious than other new domains
- 16% of all election-related domains created in September were malicious
- 24% increase in new registered election-related domains since mid-August
The COVID-19 pandemic has had an impact on almost all aspects of our lives, and the 2020 US Presidential Election is no exception. As a result of people taking precautions to avoid infection, there will most likely be in an increase in the number of voters using the US mail service to cast their votes by post. In the 2016 elections 23.6% of voters voted by mail and it’s estimated that this will increase to 37%.
As with any significant global event, threat actors have been gearing up to take advantage for their own purposes. There was a great deal of discussion around securing the 2016 presidential election, but the cyber-landscape and risks have changed dramatically since 2016. Previously, most attacks were leveraging the vulnerabilities of the voting infrastructure to determine the election results. Now in 2020 it appears that cyber-attacks are being used to reduce public confidence in, and cast doubt on the accuracy of the election results.
So what weapons are in the arsenal of the threat actors looking to target the upcoming election, and what can be done to address potential risks?
What could cybercriminals get up to during the election period?
DDOS attacks on the US postal service
The postal service consists of conveyors, sorters, scanners, servers and databases that would have to function together to allow millions of voters to exercise their right to vote. This digital system, unfortunately, could be a target for cyber-attacks.
A denial of service attack on postal branches in various states could result in significant delays in the delivery of votes to the relevant authorities for tabulation. While this type of attack is not capable of directly skewing the results, it could lead to questions about the integrity of the results and erode public confidence in the democratic process.
In addition – some states have already suffered issues with the overloading and crashing of the online voter registration system. In Florida, Gov. Ron Desantis had to extend voter registration deadline by a few days after heavy traffic crashed the state’s online system and prevented an estimated thousands of citizens from registering to cast their vote in the 2020 presidential election.
It is critical that the national cyber authorities implement DDoS mitigation solutions that have the capabilities to protect and prevent such destructive attacks. Such protection must secure the infrastructure of the service, and have the ability to automatically detect and mitigate known and zero-day DoS/DDoS attacks in real-time.
Fake news as a central attack vector
The claim of ‘fake news!’ surrounding contentious issues has become a new attack vector over the past four years without people really understanding its full impact. Following the 2016 election, U.S. officials accused foreign countries of trying to influence the elections through the spread of false information, fabricated news items, and misleading data aimed at shifting public opinion in favor of the candidate of their choice.
For example, we can see from the graph below how Russian accounts were promoting particular news headlines on social media. While it’s still not clear who leaked the Clinton WikiLeaks document we can see the story being published via puppet accounts that flooded the news, eventually damaging the chances of one of the candidates.
These puppet accounts continue to grow in number, and appear daily on social media channels, pushing messages and flooding the online scene. Examples of such can be found on groups like We love president Donald J. Trump and “Trump_Friends” and “Silent majority chooses greatness Trump 2020”
- Be aware of the content you engage with. Where did it originate from? Are you being called to amplify it? Do you have a strong emotional reaction to it? Are you being asked to spend money?
- Always look out for and check links you receive
- Only Always use information from trustworthy and official sources
- Look out for timestamps on content – you can find yourself sharing old, non-relevant news
- Do not open e-mails or attachments from unknown sources or individuals. Do not respond or initiate communication with unsolicited e-mail senders.
Attacking the result publication process
One memorable attack impacting the election result-publication systems occurred in the 2014 Ukrainian elections, when government experts detected and removed malware designed to change the vote results that were supposed to be presented. The malware had been designed to portray the ultra-nationalist, right-wing party leader Dmytro Yarosh as the winner with 37 percent of the votes instead of the 1 percent that he actually received. Although the malware was removed and the correct results were presented on the CEC website, Russian Channel One incorrectly reported that Yarosh was leading with 37 percent of the votes and displayed a screenshot from the CEC showing these fake results. This can be simply overcome by establishing alternative communication channels with public media and press agencies.
National cyber authorities must make sure their result publication systems contain malware defense that include layers of safeguards, including continuous network scans. Today’s next generation firewalls can protect against viruses, worms, Trojans, spyware and ransomware, and have the ability to identify and completely block malware before they enter the network and inflict damage.
Internet memes are a very efficient method for conveying specific messages, delivering them via visuals that become viral due to an audience relating to them.
In the 2016 US elections, memes were used frequently and we expect this trend to be even more prevalent this time round.
“Meme camouflage” aims to defeat the algorithm of social media by flooding it with memes that spread the desired messages. Meme channels, such as “Meme ware 2020 #9” and “Election win memes” are channels that were built with the target of flooding social media platforms on the night of the elections, even if the results have been tallied. The actual “game plan” of such channels is to bypass the way social media deletes messages – by simply flooding hundreds of them and get at least some of them stay online undetected by social media admins. This is very likely to happen on election night itself.
Hacking the crown jewels – leaking documents snatched from the opponent candidate
During the 2016 elections, hackers allegedly affiliated with foreign actors infiltrated the information systems of the Democratic National Committee (DNC), the Democratic Congressional Campaign Committee (DCCC), and Clinton campaign officials, notably chairman John Podesta, and publicly released stolen files and emails through WikiLeaks, among other outlets, during the election campaign.
Russian government officials have denied involvement in any of the hacks or leaks creating frequent negative news cycles.
On the other side of the political map, the RNC (Republican National Committee) was not immune to such attacks, on January 10, 2017, it was revealed by FBI officials that Russia succeeded in “collecting some information from Republican-affiliated targets but did not leak it to the public”
Data loss prevention (DLP) is a cybersecurity methodology that combines technology and best practices to prevent the exposure of sensitive information outside of an organization, especially regulated data. Today’s most effective data loss prevention solutions combine technology and processes.
Best practices in avoiding data breaches must always involve:
- Access limitations and management of access to sensitive data
- Passwords should be maintained on all accounts
- Enforce password policies within the organiztion
- Enforce information security awareness and education
- Use authentication and endpoint security on which data is stored
Domains related to the Elections are 56% more likely to be malicious
According to Check Point Researchers, there is a 56% higher chance of an election-related domain being malicious, compared to other new domains registered at the same time period, Since mid-August there have been on average 1,545 new election-related domains being registered weekly, presenting a 24% increase from the previous couple of months. 16% of the ones registered in September were found to be malicious.
The statistics and data used in this report present data detected by Check Point’s Threat Prevention technologies, stored and analyzed in ThreatCloud. ThreatCloud provides real-time threat intelligence derived from hundreds of millions of sensors worldwide, over networks, endpoints and mobiles. The intelligence is enriched with AI-based engines and exclusive research data from the Check Point Research – The intelligence & Research Arm of Check Point.
The FBI and the Department of Homeland Security’s cybersecurity agency have issued a series of advisories in recent weeks warning voters against spoofed internet domains and email accounts that pose cyber risk and disinformation to voters.
In a recent report we already saw how just days after the first presidential debate, hackers, under the guise of the Democratic party, began spreading the infamous Emotet malware through a spam campaign. The Emotet trojan remains in 1st place in the Index of our researchers “Most Wanted Malware” for the third month in succession, impacting 14% of organizations globally.
To avoid falling victim to phishing scams, we recommend the following:
- Verify you are using a URL from an authentic website. One way to do this is NOT to click on links in emails, and instead click on the link from the Google results page after searching for it.
- Beware of “special” offers. An 80% discount on a new iPhone is usually not a reliable or trustworthy purchase opportunity.
- Beware of lookalike domains, spelling errors in emails or websites, and unfamiliar email senders.
In conclusion, the 2020 US Presidential Election will be the subject and target of unprecedented cyber-activity by a range of threat actors, from criminals to nation-state backed groups. This in turn demands a new level of security awareness and vigilance by Homeland Security, regional authorities and individuals to ensure that the democratic will of the people truly prevails.