How the Mail-In Voting Controversy Creates Opportunity for Identify Theft and Cyber Attacks
Grow Your Business, Not Your Inbox
Mail-in voting has seen renewed controversy as it's become an impromptu battleground for political responses to Covid-19. Some insist that voting in person will expose voters to the virus, while others focus instead on the potential for fraud and ballot-tampering. Politics aside, the tension and confusion have created the perfect recipe of fear, uncertainty and doubt (FUD) that cyber attackers crave, allowing them to take advantage of private citizens whose online judgment is clouded by emotion.
It's a pretty easy scenario to imagine: A potential voter types in a quick Google search to try and find out what the mail-in voting rules for their county are. Their state hasn't made the move to a dot-gov domain name (which involves some level of validation that it's a legitimate site) and instead hosts its election information on a dot-com site. In this case, it would be easy for a cyber attacker to typosquat and have a similar-sounding URL that features misleading information or, even worse, redirects to a malicious site where it collects user information or downloads malware onto their computer. There were spikes in fake Covid-related websites, and this is already starting to recoccur with regards to mail-in voting sites.
In fact, the Department of Homeland Security recently released a bulletin to state and local governments that cautioned, "The FBI between March and June 2020 identified suspicious typosquatting of U.S. state and federal election domains, according to recent FBI reporting from a collaborative source." These sites had URLs that were very close to legitimate government sites but weren't actually legitimate sites. It's disturbing to think that spreading misinformation and confusion can be so simple, but it absolutely is. The FUD that surrounds mail-in voting creates a perfect opportunity for bad actors to prey on the emotional decision-making that many find themselves guilty of when researching a hot-button issue like mail-in voting.
Working from home creates many possibilities — for attackers
There’s no doubt that employees now make up an enterprise’s network perimeter, and this vastly increased attack surface area has created an irresistible target of opportunity for bad actors. They don’t have to try to penetrate corporate bastions of security anymore; now getting access to one corporate device is as simple as cracking a home network with a password like “password” (if it’s even secured at all).
Corporations need to ensure their employees are aware of potential threats before they happen, not after. Predicting that a hot button issue like mail-in voting could be a good subject for an effective spearphishing campaign doesn’t require a crystal ball. An employee who is at least aware of this is better prepared than an employee who has no idea. Cyber attackers are undoubtedly innovative, but simple phishing, instead of complex hacking attacks, continues to be the most common way for attackers to gain access to secured corporate resources. Couple this with the advanced techniques that attackers have developed, like using encrypted messaging apps or faking legitimate voice calls, and the vulnerabilities are guaranteed.
Employees working from home are more susceptible to a variety of attacks than when they're protected by the office network. Firewalls can't block typosquatting URLs when the computer isn't even on the network, and host-based firewalls are only effective when they are patched consistently. This all underscores why election season is a situation fraught with potential vulnerabilities and risks.
Using election confusion to get people to "take the bait"
The number of ways cyber attackers can prey on people is truly astonishing. Sophisticated attacks are already quite easy to fall for, even for those on their guard against cybercrime. A person who's concerned about mail-in voting and is experiencing an emotional response to the issue will inevitably find that their guard is lowered. They may be more likely to click a link when they would otherwise have known better. There is already evidence of phone scams trying to get people's social security numbers by telling them that they're registering to vote.
Nation-states and cyber campaigns
Attackers aren't just lone-wolf hackers, sitting in their parents’ basement eating Cheetos and stealing people's identities. U.S. counterintelligence officials have already confirmed that Russia, China and Iran have an interest in who wins the election, and they likely already have active cyber campaigns to achieve their preferred outcomes. Although it's difficult to actually affect voting, they can easily affect public opinions, perceptions and trust in the democratic processes in the U.S. by posting fraudulent information online. This loss of trust will make people less discerning in the links they click or the software they download.
There's really no way to be absolutely sure that the websites we visit are legitimate. Even sites from reputable sources are filled with bias and misleading information. Add foreign cyber adversaries to the mix and any controversial topic is sure to draw a host of illegitimate copycat websites. A cyber attacker with a nation-state's resources is capable of even more sophisticated attacks on individuals.
Not a question of if, but when
The speed at which pre-election controversies can spread on the internet creates an environment in which cybercriminals thrive. All of the confusion, political spin and misinformation that surrounds the issue of mail-in voting can help cyber attackers gain access to their potential victims by targeting a person through analytics and social engineering. Corporations and their employees will likely remain prime targets for attackers. It's not a question of if this will happen, but when — and the security industry needs to be prepared accordingly.