Candidates appear to be paying little attention to the possibilities of online shenanigans being carried out in their names.
Using the Internet in an election campaign is not a new idea, but would-be presidential candidates have embraced the concept in this election cycle like never before.
'Every campaign is online today,' said Oliver Friedrichs, director of emerging technology at Symantec Security Response. 'Everyone uses e-mail, they have Web sites and they blog.'
And they have been successful. During his entire 2004 campaign, John Kerry raised $82 million through online contributions. This January alone, Barack Obama raised $28 million online'80 percent of his contributions that month.
But along with the newfound power of the Internet comes equally significant threats, Friedrichs said at the Black Hat Federal Briefings yesterday in Washington.
Hundreds of Internet domains have been registered based on variations of legitimate campaign Web site domain names, creating the possibility of confusion, misinformation, illicit profit or hacking. They also could be used to intercept misdirected e-mail, Friedrichs said. 'This is really scary.'
But candidates appear to be paying little attention to the possibilities of online shenanigans being carried out in their names.
'The campaigns haven't taken steps to protect themselves from the problem,' said Friedrichs, who has contributed a chapter on cybercrime and the electoral system to the upcoming book Crimeware, to be published by Symantec Press and Addison-Wesley Professional.
As an experiment, Friedrichs registered 124 phony campaign domains himself. 'Anyone can do this,' he said. 'It cost me $800.' Although U.S. law and international rules on intellectual property allow legitimate parties to recover their name domains from squatters, no one has contacted him about the domains, Friedrichs said.
Friedrichs did research on two types of common fraudulent URLs: Typos of legitimate sites, and cousins, which are variations of a site name. Using a program to generate common typographical errors, he searched for registered domains based on misspellings and variations last year. He found 242 registered typo domains and 2,287 registered cousin domains. Not surprisingly, the front-running candidates were the most frequently targeted. There were 58 Hillary Clinton typo sites registered, and 52 for Obama. There were 566 Clinton cousin domains registered, and 337 Obama cousins. Ron Paul came in third on the cousin list with 276 phony domains registered.
A new survey this month, when the field had been whittled down to a few front-runners, showed some changes in the numbers, but plenty of sites were still there. Some of the phony domains direct visitors to the legitimate sites, some have their own sites that serve up advertisements and some are politically malicious. Any of them could be used to upload malicious code to an unsuspecting visitor or solicit contributions.
Friedrichs set up a server to redirect would-be visitors to his 124 phony domains to legitimate campaign Web sites. An analysis of traffic to the server over a three-week period that included the Super Tuesday primaries showed 4,600 hits from more than 3,000 individuals trying to access the phony domains. Friedrichs called the level of traffic negligible, but said, 'I could do a lot with those 3,000 visitors' if he were a hacker. With the growing number of Web browser vulnerabilities, exploits would be easy.
He also experimented to see what kind of e-mail traffic a phony domain name could attract. He created a record to direct e-mails using his typo domains to a mail server. Because he did not want the liability of actually receiving messages intended for someone else, he blocked the port on the server, but counted the number of connections attempted. In one 24-hour period there were more than 1,000 attempts. Most of those could have been spam, of course. But there could also have been some attempts at legitimate communication by persons who mistyped an e-mail address.
The bottom line is, anyone with a presence on the Web needs to protect their identity, Friedrichs said. 'If you have a domain today, register your typos.'
NEXT STORY: (Don't) Click here for a tax refund