Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/8/2020
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Election-Related Websites Vulnerable to Fraud, Abuse

New research finds the vast majority of reputable news, political, and donor-oriented sites don't use registry locks.

The vast majority of websites that link to joebiden.com and donaldjtrump.com do not use basic DNS security controls, new research shows.

In August CSC's Digital Brand Services division identified 988 outgoing and referral domains that link to the two presidential campaign sites – and found more than 90% of them do not use registry locks, says Mark Calandra, executive vice president of CSC DBS. These type of sites include major US news outlets, political sites, and donation-driven pages.

Related Content:

7 Cybersecurity Priorities for Government Agencies & Political Campaigns

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

These domains could be exposed to unauthorized changes to WHOIS information, DNS modifications, deletions, and other risks. A registry lock delivers an additional level of authentication and security to safeguard domains against such unauthorized changes. It protects DNS- and domain-name hijacking, which CSC says has become a preferred attack vector by cybercriminals and state-sponsored actors. 

Calandra adds that without registry locks, the reputable sites could get redirected to bad sites that could potentially spread disinformation or steal credit-card information from donors. There's strong potential for nefarious activity here because more than 75% of the domains studied are registered with retail-grade registrars that don't offer advanced DNS security protections, he notes.

In addition, Calandra says organizations should more closely monitor their domain names and report any bad domains either to their ISPs or domain registrars – or even the FBI.

CSC also points out its latest research tracks closely with a study it released in June that found 83% of Forbes Global 2000 companies are at risk because their websites do not deploy registry locks.

"While security teams focus on deploying firewalls, endpoint software, and monitoring, they've lost sight of something simple like DNS security. We're not saying they should ignore these core security technologies, but they should also pay attention to DNS security," Calandra says.

So far there's no evidence these issues with DNS security have led to a major disinformation campaign or credit card fraud with presidential campaign donor sites, he adds.

Meanwhile, there are some "typo" campaign domain sites CSC studied (for example, donaldtrump.com vs. donaldjtrump.com) that could confuse users. Some 60% are still available for registration, thereby posing future threats.

More than one-third of these typo domains are linked to third parties, so CSC believes only a handful of typo domains are legitimately owned by the campaigns themselves. Of the domains being used by third parties, nearly 40% point to advertising-related pages, 20% point to destinations that have malware associated with them, and 10% promote campaign-related content and materials.

Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ, broke CSC's data into three categories: intent, ease, and impact.

On intent, Reiber says nation-states like Russia spread disinformation around race, immigration, and use of the Confederate flag. On the ease issue, he says CSC's recent data demonstrates how easy it has become for bad threat actors to exploit sites without registry locks, creating opportunities to transfer users from reputable news or political sites to those that spread disinformation.   

When it comes to impact, Reiber says the COVID-19 period has made the country more vulnerable. 

"We are stressed, unemployed, and spending more time online so the disinformation will land on fertile ground," he says.

Check IDs
Husayn Kassai, co-founder and CEO of Onfido, says effective identity management can help deter some fraudsters, such as identity solutions where people have to go through a more rigorous security regime before they are granted a domain and can post information to the website.

"You won't stop everyone, but better identity management is something we can do to attack the problem," Kassai says, especially when it comes to posting disinformation on social media and thwarting the launch of bad websites.   

Here are some domain security best practices recommended by CSC:

• Secure access to domain and DNS management systems, including two-factor authentication, IP validation, and federated ID.

• Gain control of the user's role and permissions within the company's domain and DNS management systems, with insights into elevated access controls and an authorized contact policy.

• Make use of advanced security features, including vital domain identification, DNSSEC, CAA records, registry lock, and DMARC.

• Develop end-to-end expertise that can detect, analyze, and mitigate digital brand and fraud threats, including the ability to execute takedowns worldwide.

• Work with an enterprise-class domain name registrar.

Steve Zurier has more than 30 years of journalism and publishing experience and has covered networking, security, and IT as a writer and editor since 1992. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15246
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.421 and before version 1.0.469, an attacker can read local files on an October CMS server via a specially crafted request. Issue has been patched in Build 469 (v1.0.469) and v...
CVE-2020-15247
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, an authenticated backend user with the cms.manage_pages, cms.manage_layouts, or cms.manage_partials permissions who would normally not be permi...
CVE-2020-15248
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.470, backend users with the default "Publisher" system role have access to create & manage users where they can choose which role the ...
CVE-2020-15249
PUBLISHED: 2020-11-23
October is a free, open-source, self-hosted CMS platform based on the Laravel PHP Framework. In October CMS from version 1.0.319 and before version 1.0.469, backend users with access to upload files were permitted to upload SVG files without any sanitization applied to the uploaded files. Since SVG ...
CVE-2020-28927
PUBLISHED: 2020-11-23
There is a Stored XSS in Magicpin v2.1 in the User Registration section. Each time an admin visits the manage user section from the admin panel, the XSS triggers and the attacker can able to steal the cookie according to the crafted payload.