The US presidential elections are just around the corner, and unsurprisingly, there’s a lot of buzz about cybersecurity.
The elections and their accompanying security issues are very instructive. If you have responsibility for a site or web application, it’s worth discussing the tactics that hackers are using now—because some, or all, of them will soon be applied to your organization as well. (In fact, you have probably experienced some of them already.)
First, some context. The last presidential election cycle was marked by numerous security issues. In 2016, Russian hackers infiltrated the servers of the DNC (Democratic National Committee), and stole thousands of emails related to the DNC and the Clinton administration, which were subsequently leaked. This was one of the most notorious security incidents in US politics, but it wasn’t the only one in that election cycle. For example, in the Cambridge Analytics scandal, 50 million profiles of US voters were harvested and used to build a powerful software program to predict and influence choices at the ballot box.
This is not only an American problem; cybersecurity issues around elections have become a worldwide issue. For example, three weeks before this year’s national election in Israel, the personal data of all 6.5 million voters were exposed. (And this wasn’t even a targeted attack.)
Why are these incidents relevant to your organization? Because all of the attacks being used now for political purposes will be used against you too for other purposes. Let’s discuss some of them.
DDoS (Distributed Denial of Service)
DDoS attacks are a favorite tactic of cybercriminals. A successful DDoS attack can take the targeted site offline for as long as the attacker wants. These are being used more frequently in politics; for example, in 2019, the UK’s Labour Party website was hit by several DDoS attacks.
No doubt you already know that DDoS attacks are frequently waged against businesses and other non-political organizations too. In the past, many DDoS assaults didn’t have an obvious motive (at least, none that the victim could discern). Today, more and more DDoS events are extortion attacks. The attackers launch the DDoS, and then contact the victim with a straightforward threat: “Pay us a ransom, or we will keep your site offline until you do”.
DDoS is one of the most frequent cyberattacks today. If you haven’t experienced one lately, chances are you will soon.
Account takeover (ATO) attacks have occured very frequently in some industries (especially financial and a few others). Now they’re being applied to politics too; a new advisory from the FBI and CISA warns that cybercriminals are threatening US election systems using a privilege-escalation attack followed by an account takeover.
Politics are only one area where ATO attempts are spreading; in fact, they’re becoming very common across many verticals. Thus, your organization needs robust defenses against them. The most common technique is credential stuffing, where hackers steal credentials from one site and then “stuff” them into login forms on many other websites. (These attacks are often successful, because many people still use the same credentials on multiple sites and applications.) Another common tactic is to discover credentials by sending out bots to wage brute-force attacks; the bots attempt to gain access to a web application by trying every possible combination of letters, numbers, and symbols, to see which combinations work.
Spam Email and Phishing
The US government just accused Iran of trying to sway the US election by sending threatening emails to voters in four key states.
Your organization is vulnerable to spam too, especially in the form of mass phishing campaigns. As the name suggests, phishing doesn’t target specific victims; instead, the attacker is throwing a lot of emails out there, hoping that someone will fall for one. If someone in your organization clicks on a phishing link from a work computer, this can allow malware to be installed in your network. This can lead to a system breach, or even a ransomware attack, which can be ruinous for a business.
There are about three billion phishing emails being sent each day. If you don’t have regular training for your employees about email hygiene, your organization probably has a higher danger of being compromised than you would otherwise think.
Sites that accept user-submitted content (forum posts, reviews, etc.) are being hit with politically-motivated hackers, who are mass-submitting content to try and sway reader’s opinions. Non-political hackers often use spam too, usually to leave backlinks to a shady site in order to build its rankings in the search engines.
Advertising Abuse / Click Fraud
Political hackers run programs to trawl the Internet and “click” on ads being run by opposition candidates. The goal is to consume the other side’s ad budget (and as a bonus, to contaminate their analytics).
If your web application hosts third-party advertising, you need to defend against this. (This is true even if you don’t host political ads, because this problem occurs across industries.) Ad networks keep track of fraudulent clicks, and if you don’t properly exclude hackers’ click-fraud bots from your application, you will eventually be blacklisted. If ad revenue is a large part of your business mode, this would obviously be a severe problem.
What’s the Common Denominator?
All of the attacks described above have one thing in common: they all rely on bots.
A bot is an automated program that operates on the Internet, performing activities at scales that a human doesn’t have the capacity to do. This is how hackers can send millions of spam emails and millions of HTTP requests in a DDoS. It’s how they can drop spam content on thousands of websites, while also stuffing thousands of credentials into a login form. It’s how they find systems that they can compromise: vulnerability-scanning bots search across the Internet automatically until they find a server with an unpatched vulnerability. Soon afterwards, the hacker visits, and breaches the system.
Your organization probably doesn’t have a direct connection to election-related security issues. Nevertheless, as discussed above, the same tactics being used for political purposes can (and will) be used against you soon. Therefore, you need robust protection against modern bots. (The latest generation of bots are especially difficult for older security solutions to detect.)
We recently published a white paper (The State of Bot Protection) on how to protect your sites and web applications from bots: it describes in detail the current threat environment, discusses the types of hostile bots which are the most prevalent for various verticals, and explains how to protect your network against them. For more general information on web security, you can browse our knowledge base or visit our website.