Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/8/2020
12:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

US Election-Related Websites Vulnerable to Fraud, Abuse

New research finds the vast majority of reputable news, political, and donor-oriented sites don't use registry locks.

The vast majority of websites that link to joebiden.com and donaldjtrump.com do not use basic DNS security controls, new research shows.

In August CSC's Digital Brand Services division identified 988 outgoing and referral domains that link to the two presidential campaign sites – and found more than 90% of them do not use registry locks, says Mark Calandra, executive vice president of CSC DBS. These type of sites include major US news outlets, political sites, and donation-driven pages.

Related Content:

7 Cybersecurity Priorities for Government Agencies & Political Campaigns

2020 State of Cybersecurity Operations and Incident Response

New on The Edge: Open Source Threat Intelligence Searches for Sustainable Communities

These domains could be exposed to unauthorized changes to WHOIS information, DNS modifications, deletions, and other risks. A registry lock delivers an additional level of authentication and security to safeguard domains against such unauthorized changes. It protects DNS- and domain-name hijacking, which CSC says has become a preferred attack vector by cybercriminals and state-sponsored actors. 

Calandra adds that without registry locks, the reputable sites could get redirected to bad sites that could potentially spread disinformation or steal credit-card information from donors. There's strong potential for nefarious activity here because more than 75% of the domains studied are registered with retail-grade registrars that don't offer advanced DNS security protections, he notes.

In addition, Calandra says organizations should more closely monitor their domain names and report any bad domains either to their ISPs or domain registrars – or even the FBI.

CSC also points out its latest research tracks closely with a study it released in June that found 83% of Forbes Global 2000 companies are at risk because their websites do not deploy registry locks.

"While security teams focus on deploying firewalls, endpoint software, and monitoring, they've lost sight of something simple like DNS security. We're not saying they should ignore these core security technologies, but they should also pay attention to DNS security," Calandra says.

So far there's no evidence these issues with DNS security have led to a major disinformation campaign or credit card fraud with presidential campaign donor sites, he adds.

Meanwhile, there are some "typo" campaign domain sites CSC studied (for example, donaldtrump.com vs. donaldjtrump.com) that could confuse users. Some 60% are still available for registration, thereby posing future threats.

More than one-third of these typo domains are linked to third parties, so CSC believes only a handful of typo domains are legitimately owned by the campaigns themselves. Of the domains being used by third parties, nearly 40% point to advertising-related pages, 20% point to destinations that have malware associated with them, and 10% promote campaign-related content and materials.

Jonathan Reiber, senior director for cybersecurity strategy and policy at AttackIQ, broke CSC's data into three categories: intent, ease, and impact.

On intent, Reiber says nation-states like Russia spread disinformation around race, immigration, and use of the Confederate flag. On the ease issue, he says CSC's recent data demonstrates how easy it has become for bad threat actors to exploit sites without registry locks, creating opportunities to transfer users from reputable news or political sites to those that spread disinformation.   

When it comes to impact, Reiber says the COVID-19 period has made the country more vulnerable. 

"We are stressed, unemployed, and spending more time online so the disinformation will land on fertile ground," he says.

Check IDs
Husayn Kassai, co-founder and CEO of Onfido, says effective identity management can help deter some fraudsters, such as identity solutions where people have to go through a more rigorous security regime before they are granted a domain and can post information to the website.

"You won't stop everyone, but better identity management is something we can do to attack the problem," Kassai says, especially when it comes to posting disinformation on social media and thwarting the launch of bad websites.   

Here are some domain security best practices recommended by CSC:

• Secure access to domain and DNS management systems, including two-factor authentication, IP validation, and federated ID.

• Gain control of the user's role and permissions within the company's domain and DNS management systems, with insights into elevated access controls and an authorized contact policy.

• Make use of advanced security features, including vital domain identification, DNSSEC, CAA records, registry lock, and DMARC.

• Develop end-to-end expertise that can detect, analyze, and mitigate digital brand and fraud threats, including the ability to execute takedowns worldwide.

• Work with an enterprise-class domain name registrar.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
Chinese Attackers' Favorite Flaws Prove Global Threats, Research Shows
Kelly Sheridan, Staff Editor, Dark Reading,  10/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11484
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a vulnerability in the AMI BMC firmware in which an attacker with administrative privileges can obtain the hash of the BMC/IPMI user password, which may lead to information disclosure.
CVE-2020-11485
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contains a Cross-Site Request Forgery (CSRF) vulnerability in the AMI BMC firmware in which the web application does not sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the u...
CVE-2020-11486
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30, contain a vulnerability in the AMI BMC firmware in which software allows an attacker to upload or transfer files that can be automatically processed within the product's environment, which may lead to remote code execution.
CVE-2020-11487
PUBLISHED: 2020-10-29
NVIDIA DGX servers, DGX-1 with BMC firmware versions prior to 3.38.30. DGX-2 with BMC firmware versions prior to 1.06.06 and all DGX A100 Servers with all BMC firmware versions, contains a vulnerability in the AMI BMC firmware in which the use of a hard-coded RSA 1024 key with weak ciphers may lead ...
CVE-2020-11488
PUBLISHED: 2020-10-29
NVIDIA DGX servers, all DGX-1 with BMC firmware versions prior to 3.38.30 and all DGX-2 with BMC firmware versions prior to 1.06.06, contains a vulnerability in the AMI BMC firmware in which software does not validate the RSA 1024 public key used to verify the firmware signature, which may lead to i...