The threat of political phishing
Internet based donations to political hopefuls are now a vital part of any successful campaign. But how safe is it for you to click the "donate" button on an unsolicited e-mail from a candidate?
Later today, I will be presenting as part of a panel on the subject of political phishing at the Anti-Phishing Working Group eCrime Researchers Summit.
During the panel discussion, I will be speaking about the threats to the online fundraising model used by political candidates in the United States. While attacks in the wild have yet to be seen, there are a number of factors which make online campaign giving particularly vulnerable to phishing attacks.
To go along with my talk, Professor Markus Jakobsson and I have released a white paper which clearly explains the issues, threats and a solution to the problem. The slides for my talk are also available online at www.politicalphishing.com.Based on advice from legal counsel, I won't be including any of the screenshots and synthetic examples of political phishing sites in this blog post. This research needs to remain 100% non-commercial, and since I get paid for this blog, I don't want to be seen as profiting from this phishing project. I'll explain the problem of political phishing briefly here, but if you find the subject interesting, I urge you to go and read our technical report or at least look at the slides.
Hillary Clinton made headlines earlier this week when it was announced that she raised over $8 million through online donations in the third quarter of 2007. In the grand scheme of online political donations - this is a fairly small sum. After all, in 2004, John Kerry raised $3 million in a single day, and $5 million over a two day period. The reason that Hillary's financial haul is such a big story is that it is over a year before the presidential election, and she has yet to win the Democratic primary. Thus, I feel completely safe in predicting that the 2008 election will result in more online campaign donations than ever before.
The problem with this of course, is that where the money flows, fraudsters and criminals soon follow. While banks and other financial firms regularly urge their customers never to click on links contained in emails, political campaigns preach the opposite message. The regular flood of campaign emails in my inbox attests to the fact that politicians depend on you "acting now" - which usually either involves clicking on and filing out a petition, or donating funds. If Hillary Clinton's campaign (or Mitt Romney's , Fred Thompson's or any other candidate's campaign) can convince users to click on an email that arrives unsolicited in their inboxes, pull out their credit cards, and give money to a website that they have no real way of authenticating - then the phishers can too.
One of the main problems is that candidates use such inconsistent schemes when picking a domain name for their official website. A pop quiz: Should a potential donor visit joinrudy08.com, or rudygiuliani.com, barack.com or barackobama.com, fredthompson.com or fred08.com? If a user clicks on a web advertisement that takes them to hillary08.com, how can they be sure that they are at her official campaign website?This little taste should be enough to at least explain the risks of political phishing. While 2008 will certainly be the biggest year of online fundraising, it may also be the year that political phishing becomes a serious issue. For more information on the subject, please read our white paper and check out our slides containing synthetic political phishing emails and websites. Both are located at www.politicalphishing.com. Would you be fooled?