US elections are still vulnerable to email spoofing

A recent Valimail report spells out several potential threats that can impact election security. But there are ways to protect your organization.

American flag made of binary code

Image: iStock/bestdesigns

An election security report released by Valimail exposed some significant issues with email security which could have the potential to disrupt the 2020 elections. The good news is that hacked voting machines or tampered mail-in ballots are not the problem, but the bad news is that domain spoofing and impersonation-based phishing email attacks are. 

SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)

This spells out a potential opportunity for malicious actors to misrepresent themselves as authority figures involved with elections or campaigns or political action committees. It turns out that 93% of the largest counties in the country and about 97% of the states have unprotected domains. 

Some key findings from the report, according to Valimail:

  • Only 15% of campaigns and political action committees (PACs) are protected from spoofing with DMARC enforcement
  • Democrats have better email security hygiene in this respect: is protected by DMARC enforcement; and are unprotected
  • Only 3.3% of US state domains are protected
  • Just 7% of the largest counties' domains are protected, an increase of just 2 percentage points from 2019
  • Only one of the eight election systems manufacturers certified by the US government is protected from email spoofing

Valimail issued a press release stating, "You often hear of email phishing within the corporate world—when business email compromise or related attacks result in loss of funds or proprietary data—but the threat within the US election infrastructure is unique," said Alexander García-Tobar, CEO and co-founder of Valimail. "Malicious agents could use the essential and pervasive nature of email to spread uncertainty, confusion, misinformation or doubt, which could, in turn, interfere with a free and fair election."


Image: Valimail

As a system administrator I've seen every possible scenario involving phishing attacks. Such subjective examples of the mayhem which might ensue are:

  • False emails purportedly from election officials claiming that they are tampering with votes or ballots, or that they have discovered individuals doing so. This can then sow doubt upon the results or tie up the process through recounts or lawsuits.
  • Hoax claims that a certain political candidate is actively collaborating with the election officials to "rig" the election and eke out an undeserved win, with the goal being to discredit the candidate.Invalid assertions that various groups, agencies or foreign governments are in an on election "fix" in order to sow animosity toward these entities or cast doubt on their credibility.
  • These emails entail the use of spoofing, whereby valid email addresses or domains are used in the From or Rcpt To fields of an email message. To the recipient, these emails appear legitimate even though they are not. 

This is not the first time email security—or the lack thereof—played a role during an election season. In 2016 the Democratic National Committee's email environment was compromised by a Russian hacker who used phishing strategies to gain access. The hacker obtained more than 60,000 emails and released them in an effort to generate scandal and controversy.

SEE: FBI warns of cybercriminals spreading false info about 2020 election results (TechRepublic)

Another discovery discussed in the report is the potential for denial of service (DNS) attacks directed at political campaigns. Similarly, tens of thousands of attempts to leverage security vulnerabilities against government election-related sites are being conducted each day.

The remedies for the latter two issues are fairly straightforward: Apply all patches on a routine basis, lock down access to systems only to authorized personnel, mandate complex passwords that rotate frequently, disable access for former employees, and build a denial of service protection strategy using these tips.

SEE: Phishing groups are collecting user data, email and banking passwords via fake voter registration forms (ZDNet)

Safeguarding email depends on mandating that emails from your organization are checked to ensure the senders really are who they say they are. This entails the use of Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). 

All three of these powerful tools entail using a specific DNS record for your domain to prove email from this source is legitimate. Recipient domains will reference these records to obtain more information about the origins of a particular email. A DMARC record can instruct recipients to discard messages from unauthenticated senders. An SPF record can confirm the legitimate IP address(es) of the sending email server so that recipients receiving email from illegitimate IP addresses can discard these items. Finally, a DKIM record provides public key information that can be matched against a digital signature included in the email headers. If the digital signature is missing or incorrect, the email never gets through. All three mechanisms can be used in conjunction for maximum security.

Obviously, these threats aren't merely limited to businesses or groups related to elections; any public facing domain or system can be adversely impacted by them. 

Also see