U.S. Election Drives Increase in Malware and Spam

Thursday, October 20, 2016

Ionut Arghire


The activity of malware and spam groups has intensified in the wake of United States presidential election, Symantec warns.

Over the past month, the security company has blocked over 8 million spam emails related to the election, and has also observed a steady increase in the email volume as the November 8 polling day draws near. While most of the spam was represented by unwanted and unsolicited emails, some of the messages carried malicious attachments to install malware onto the victim’s computer.

Two of the spam emails analyzed by Symantec reference to Republican nominee Donald Trump, featuring the “Donald Trump’s Secret Letter” and “Donald Trump Reavealed” (sic) subject lines. Both of these emails have malicious .zip files attached. Another spam email supposedly shows Democratic nominee Hillary Clinton with an ISIS leader, but has a malicious Java file attached, designed to infect computers with a remote access Trojan.

“The number of malware-bearing emails has spiked periodically over the past four weeks. However, the overall trend is moving upwards, indicating that attack groups are increasingly leveraging the election as we move closer to the polling date,” Symantec notes.

Malicious JavaScript files (JS.Downloader) represent the most commonly used type of attachment, and the security researchers explain that these files are normally used to spread ransomware and financial Trojans. According to Symantec, the Dridex financial Trojan accounted for 15% of the blocked malicious emails, while generic Trojans represented other 15%.

“Given the already-growing volume of malicious emails attempting to capitalize on the US presidential election, it’s reasonable to assume that attackers will up their efforts over the next three weeks as the election campaign goes into overdrive. Exercise caution with any emails you receive, particularly if they come from an unfamiliar source or contain sensationalist subject lines,” Symantec says.

As it turns out, email isn’t the only attack surface related to the upcoming US presidential election that threat actors might attempt to abuse. Symantec also demonstrated that the voting system itself is vulnerable to different types of attacks that could alter the election results and shatter US public’s trust in the election process.

First and foremost, the security company reveals, electronic voting machines are susceptible to hacking, because of the chip cards that voters are handed when entering polling stations. Because they function as credit cards (they have RAM, CPU and operating system), these cards can be exploited just as any computing device.

According to Symantec, a simple $15 Raspberry Pi-like device, coupled with some knowledge on how to program a chip card, could allow an attacker to secretly reactivate their voter card while inside the privacy of a voting booth. Thus, one person could vote multiple times or could cast multiple votes, all with the help of a card reader that fits into the palm of the hand.

Another issue, the security researchers say, is that the internal hard drive of the voting machines isn’t encrypted and that an outdated operating system was used to display ballots and record votes. Because encryption is missing from these hard drives and from the external cartridges, a hacker could reprogram them and alter ballots.

“Potential hackers would also be unhindered by the voting machine’s lack of internet connectivity. Some types of malware, such as Stuxnet, can take advantage of air-gapped networks and vector through physical access to a machine. The lack of full-disk encryption on the DRE machine makes it easily exploitable, requiring only a simple device to reprogram the compact hard drive,” Symantec explains.

What’s more, the security company reveals, the behind-the-scenes data tabulation represents an even greater opportunity for an attacker. Votes are typically collected in simple storage cartridges (they function as USB drives) and physically transferred to a central database for tabulation, allowing an attacker to alter the information on them or to upload malware on them, to alter the voter database once these cartridges reach tabulation computers (presumed outdated as well).

Another manner in which attackers could compromise the election, Symantec says, is misinformation using social networks, broadcast media, or YouTube channels. “If voters were to follow the poll leader, they might not choose to go through the trouble of voting in an election if it looked like they were in for a landslide victory,” the security researchers say.

In the end, Symantec notes, it’s up to state governments, federal organizations, and voting machine manufacturers to improve the security of election equipment and to adopt stronger security measures to ensure the integrity of the voting process. The discovered vulnerabilities can be resolved with existing security technology: chip cards should have asymmetric encryption, storage cartridges should be “write once, read many,” voting machines’ hard drives should be properly secured and have SSL certifications and public and private key encryption.

“The recent Arizona and Illinois database attacks prove malicious actors are seeking opportunities to access the election system. Yet, few incentives exist to modernize voting security. States can take advantage of Department of Homeland Security guidance and services to inspect voting systems for bugs and vulnerabilities, on top of the security measures voting machine manufacturers should be implementing,” Symantec concludes.

Related: FBI Warns of Attacks on State Election Systems

Related: Evidence Links Russia to Second Democratic Party Hack

Related: Second Database Exposing Voter Records Found Online

Possibly Related Articles:
SPAM Election
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked