Cybersecurity experts warn that phishers' next target may be online political contributions.
Online contributions have become a major funding source for political campaigns. Late last year, for example, Republican presidential candidate Ron Paul raised a record $4.3 million online in just one day. Each of the race's top contenders—Barack Obama, Hillary Clinton, John McCain, and Mitt Romney— solicit online donations from web savvy contributors.
The trend, however, has led researchers to consider donors' vulnerability to phishing. The finding: they are highly vulnerable, although there is no evidence phishers have taken advantage of this opportunity yet.
According to one political phishing researcher Chris Soghoian of CNET.com, online contributions are susceptible to fraud because campaigns don't even acknowledge the danger, let alone take steps to prevent it.
Soghoian says there are four primary reasons online political donors make good marks.
- There is no consistent domain naming scheme across campaigns. "[U]sers have no way of knowing if they should go to Hillaryclinton.com or Hillary.com , Rudygiuliani.com or Joinrudy2008.com ," writes Soghoian. If Hillary.com was a fradulent Web address, its operator, not the Clinton campaign, would receive money from victim "donors." (Fake domain names mimicking real domain names are known as typo domain names.)
- Politicians are not bound by anti-spamming laws. Unlike retailers, politicians can send out thousands of unsolicited emails.
- Politicians encourage users to donate to their campaigns by clicking on links within emails. "While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails," Soghoian writes, "the campaigns all encourage this dangerous behavior."
- The nature of online contributions makes it harder to discover fraud occurred. If a customer buys a product from Amazon.com, he or she would become suspicious when the package never arrived. After a call to Amazon.com to see what's taking so long, the customer would discover something shady happened. Because an online contributor doesn't expect a physical product to show up at their doorstep, it's easier for the fraud to go undetected for longer periods of time.
Luckily, both Google and PayPal have created online payment solutions adapted for online campaign contributions, which Soghoian reports "laid the groundwork for phishing-resistant campaign contributions."
Still, dangers abound for online contributors unless campaigns do these three things, says Soghoian:
First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.
Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.
Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.
Oliver Friedrichs, another political phishing researcher and director of emerging technologies for Symantec Security Response, says campaigns should also register all the typo domains associated with their campaign before a cybercrook does. The Clinton campaign, for example, would register all the possible iterations of its official domain name—such as Hillary.com, Hillaryforpresident.com, Clinton2008.com, etc.—including typos, so cybercriminals can't use these phony addresses in a phishing email.
Registering typo domains is mutually advantageous to campaigns and their supporters in another way. Online supporters don't just find their way onto fradulent campaign sites due to phishing. One typing mistake, or simply guessing the wrong domain name could lead supporters to a fake campaign site, where they may donate to theives, or risk identity theft. Or, the fake site may simply contain politically-motivated misleading or slanderous information about the candidate.
Whether or not campaigns will be farsighted enough to take these risks seriously and protect themselves, says Soghoian, "remains to be seen."