Online contributions have become a major funding source for political campaigns. Late last year, for example, Republican presidential candidate Ron Paul raised a record $4.3 million online in just one day. Each of the race's top contenders—Barack Obama, Hillary Clinton, John McCain, and Mitt Romney— solicit online donations from web savvy contributors.
The trend, however, has led researchers to consider donors' vulnerability to phishing. The finding: they are highly vulnerable, although there is no evidence phishers have taken advantage of this opportunity yet.
According to one political phishing researcher Chris Soghoian of CNET.com, online contributions are susceptible to fraud because campaigns don't even acknowledge the danger, let alone take steps to prevent it.
Soghoian says there are four primary reasons online political donors make good marks.
Luckily, both Google and PayPal have created online payment solutions adapted for online campaign contributions, which Soghoian reports "laid the groundwork for phishing-resistant campaign contributions."
Still, dangers abound for online contributors unless campaigns do these three things, says Soghoian:
First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.
Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.
Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.
Oliver Friedrichs, another political phishing researcher and director of emerging technologies for Symantec Security Response, says campaigns should also register all the typo domains associated with their campaign before a cybercrook does. The Clinton campaign, for example, would register all the possible iterations of its official domain name—such as Hillary.com, Hillaryforpresident.com, Clinton2008.com, etc.—including typos, so cybercriminals can't use these phony addresses in a phishing email.
Registering typo domains is mutually advantageous to campaigns and their supporters in another way. Online supporters don't just find their way onto fradulent campaign sites due to phishing. One typing mistake, or simply guessing the wrong domain name could lead supporters to a fake campaign site, where they may donate to theives, or risk identity theft. Or, the fake site may simply contain politically-motivated misleading or slanderous information about the candidate.
Whether or not campaigns will be farsighted enough to take these risks seriously and protect themselves, says Soghoian, "remains to be seen."