Websites are not safe. Just last week, I accidentally infected one of my own computers with some nasty spyware by clicking on the wrong link on the wrong creepy website; at least, I think that’s what happened. Some websites host what are called “drive-by infections,” where you don’t even have to click anything to get infected; all you have to do is look at the website. It took me hours to clean up the mess. Many otherwise legitimate websites now serve up viruses and spyware to their customers, often without the websites’ authors being aware that anything is amiss.
Black hat hackers have also been messing around with the websites of candidates in the upcoming 2008 elections. A preview chapter from the forthcoming book titled “Crimeware,” to be published by Symantec Press, details how cybercriminals have been setting up fake election websites for years, and are now working to impersonate, shut down and hack the real websites of 2008 presidential candidates. The chapter, titled “Cybercrime and The Electoral System,” written by security expert Oliver Friedrichs, also acknowledges how vote fraud through the use of compromised computers and voting machines is a very real possibility.
Friedrichs writes, “It is important to understand the associated risks as political candidates increasingly turn to the Internet to more effectively communicate their positions, rally supporters, and seek to sway critics. These risks include among others the dissemination of misinformation, fraud, phishing, malicious code, and the invasion of privacy. Some of these attacks, including those involving the diversion of online campaign donations have the potential to threaten voters’ faith in our electoral system.”
One of the most common attacks is the use of fake websites, known as “domain name abuse.” Part of this tactic involves setting up websites that are slight misspellings of the real thing, such as “narackoboma.com” instead of the real website address, barackoboma.com. You may be the world’s greatest typist, but hundreds of thousands of website names are misspelled every day. At the time he did his research, Friedrichs discovered 52 websites that had been registered as typos of the real Oboma website. When he visited barackobams.com, he discovered advertisements that led to Oboma’s real website. However, if users clicked on the ads, the bad guys earned money that, through some clever hacker manipulations, the real Obama campaign was obliged to pay. Some phony candidate websites, rather than being malicious, are merely hilarious. Check out hillaryclingon.com; it’s a hoot.
Other cybercriminals use fake websites to solicit campaign donations or trick people into calling for-fee 1-900 numbers. This happened to the Kerry-Edwards campaign in 2004. Along with collecting easy cash, the fraudsters made off with numerous credit card numbers and other personal information; they were never caught.
Another way the bad guys have messed with campaign websites is through what is called a “denial of service (DOS)” attack. DOS attacks often work by having thousands or millions of previously hacked computers try to visit the same website at the same time. Often, the website’s host computers cannot handle the traffic load and simply shut down. Not only can a DOS attack literally take a website offline, it can also deny service to email addresses linked to the website address. This happened last year to Joe Lieberman’s joe2006.com website. Speculation exists that Democrat Party hackers kicked the website offline in retaliation for Lieberman’s leaving their party to run as an Independent, though no concrete evidence exists to that effect.
The most ominous threat to campaign security involves voting machine fraud. Writes Friedrichs: “There are many serious and important risks to consider related to the security of the voting process, and the new breed of electronic voting machines… Risks include the ability for attackers or insiders to either manipulate these machines or to alter and tamper with the end results.” I think that it’s time for us to ask our elected servants, “What are you doing to insure that voting machines function accurately, can be easily audited, and cannot be hacked?” By the time that the 2008 elections roll around, it may be too late.