Only three months ago, the Agari team published our first in-depth analysis on how the top candidates for the US presidency compared when it comes to email security. The kinds of email attacks that helped derail Hillary Clinton’s candidacy in 2016 are only getting more sophisticated, and new data released today shows that campaigns are not taking the threat as seriously as they should.
The Q3 2019 Email Fraud and Identity Deception Report from the Agari Cyber Intelligence Division shows that little has changed over the last ninety days when it comes to election security. The majority of the current front runners are still susceptible to phishing attacks against their campaign staff and to email scams that impersonate their donors, voters, and the media—both foreign and domestic.
Meanwhile, we’re seeing new trends in how cybercriminals execute business email compromise (BEC) and other advanced threats, which are liable to throw an entire candidacy off-course. After all, it only requires one campaign employee or volunteer to click on one link in a malicious email to install malware or enable a data breach. With so few candidates taking the necessary steps to protect their email infrastructure, it’s likely only a matter of time before the unthinkable happens once again.
When the Report on the Investigation into Russian Interference in the 2016 Presidential Election, better known as the Mueller Report, was released, the investigators squarely pointed to spear phishing as the primary attack vector for Russian hackers seeking to gain access to email credentials or other sensitive information.
That said, a large majority of the top candidates continue to rely solely on the security controls built into their email platforms—Gmail and Microsoft Office 365. And while these platforms can weed out a fair number of malicious emails, they are defenseless when it comes to the types of advanced attacks likely to come from nation-state actors.
Instead of relying on malicious URLs or attachments, this new generation of attacks leverages display name deception, look-alike domains, compromised email accounts, and other techniques that make it appear that the emails are sent from trusted senders. By social-engineering these messages, cybercriminals manipulate recipients into revealing login credentials or sensitive information before they realize that they are being conned. Unfortunately, it is this type of dangerous email message that reaches inboxes undetected by platform-based security controls.
Despite warnings last quarter, Massachusetts Senator Elizabeth Warren and former Massachusetts Governor Bill Weld are the only two candidates who have implemented advanced security protections for their campaigns. This leaves the other eleven candidates, including Democratic front-runner Joe Biden and incumbent President Donald J. Trump, susceptible to attacks that could derail their campaigns.
Unfortunately, candidates must not only be concerned about email directed to them and their campaign staff. There is a far more dangerous email threat that targets donors, voters, and the media. Imagine the damage that can be done by emails that appear to come from the legitimate domain of the candidate, but actually come from a malicious criminal who uses that domain to spread false information to potential voters.
This is entirely possible, and likely even probable, unless candidates take the steps they need to protect against it by implementing DMARC with a p=reject policy. Last quarter, only Elizabeth Warren had implemented a DMARC policy to stop unauthenticated emails from being sent using her campaign domain. The good news is that the last ninety days have seen massive improvement as three additional candidates implement the policy as its highest level.
While 69% of candidates still remain unprotected, we can take solace in the fact that New Jersey Senator Cory Booker, Hawaii Congresswoman Tulsi Gabbard, and Former Vice President Joe Biden have followed Warren’s lead over the last three months. Four other candidates have DMARC set a monitor policy known as p=none, which is an encouraging thought, as this policy is often considered the first step in taking domains to the reject policy needed to stop unauthenticated email from hitting the inboxes of their intended targets.
Given the enormous importance of the email channel in campaign communications, fundraising, and more, we expected to see more movement quarter-over-quarter. Nonetheless, the Federal Election Commission (FEC) ruled on July 11th that political campaigns can accept discounted cybersecurity services from companies without running afoul of existing campaign finance laws. With this ruling, we should expect to see advancements across the board in the next quarter.
As we continue to monitor the changing circumstances around the election, Agari updates the first and only 2020 Presidential Campaign Email Threat Index to measure email security progress among all candidates with a polling average above 1% according to Real Clear Politics. We also continue to stand behind our special candidate offer dedicated to ensuring that every campaign has the protection it needs to prevent the nation-state attacks seeking to crush candidacies and undermine trust in our electoral process.
Email fraud continues to change on a nearly daily basis as cybercriminals find new ways to evade existing defenses and trick candidates. The battle to protect the inbox in the 2020 election is not about individual candidates or entire parties. It’s about preventing fraud for our voters and the American public. It’s about defending the underpinnings of our system. It’s about protecting democracy itself. Agari continues to be all in on that fight. We hope you are too.
To learn more about the state of email security among top 2020 presidential candidates, along with emerging trends in business email compromise and email authentication, download the Q3 2019 Email Fraud and Identity Deception Trends report.