Despite warnings about possible cyberattacks aimed at undermining midterm election security, new research reveals an overwhelming number of evaluated state, territory and District of Columbia election offices as highly vulnerable to email spoofing. Released today, the “Email Spoofing Threat to the 2018 U.S. Midterm Elections” report by Anomali Labs, the R&D arm of threat intelligence company Anomali, explores the strength of email security programs for election-related infrastructure. And of the 90 state, territory and District of Columbia election offices Anomali Labs assessed, 96 percent are “highly susceptible” to email spoofing attacks. The report found a low adoption rate of strong email authentication and email security standards among the majority of state-level election offices and their online voter registration sites. Adoption overall is inconsistent across the board. Being spoofable means threat actors could falsify the sender’s origins to appear as if the fraudulent email came from a legitimate government organization, according to the report. This type of threat is “100 percent real, and as far as urgency, given that phishing is the No. 1 attack vector, not just against election officials but also in industry in general, I think it’s very, very high,” said Roberto Sanchez, Anomali director of threat and sharing analysis and the lead researcher for the election security report.
And the email spoofing attacks on election systems do happen. A recent one occurred before the 2016 presidential election when Russian state-sponsored actors targeted the American Samoa Election Office by sending test emails to addresses at the office to see if those accounts were active, in order to potentially launch a phishing attack, The Intercept reported.
And, of course, the Russian government compromised the emails of U.S. political organizations associated with the 2016 U.S. presidential elections and exposed those hacked emails on DCLeaks.com and WikiLeaks, according to a joint statement by the FBI and Homeland Security Department. “It’s a known tactic and it’s extremely easy to fix, so that’s why we want to make sure that it’s pressed upon the local and state that they are empowered to protect themselves with quick measures,” Sanchez said.
These email security standards are easy to implement, and there are many that help detect and fight off email forgery, he added. In fact, “it’s as simple as, I could probably do it overnight for all the states and territories myself,” Sanchez said, and developing the policies is especially uncomplicated.
Full Article: Report: Election Offices ‘Highly Susceptible’ to Spoofing.