The line between our personal and professional lives is blurring in an unprecedented fashion as we approach the 2020 presidential election. From Oracle and Walmart’s plans to invest in TikTok to a bug in Joe Biden’s campaign app that exposed millions of voter files – the role mobile technology will play in elections moving forward is critical.
The election is only a week away, and there has been much discussion about how absentee and early voting will impact the outcome. But even before ballots started to hit the postal service, the spread of misinformation was already well underway, leaving confused Americans in its wake.
Human error is inevitable, even among the most well-educated users. And while 2020 has brought many challenges, perhaps the most critical from a social perspective is how we have intertwined mobile devices into our daily lives. Unfortunately, the reality of today’s threat landscape is that successful spearphishing attacks no longer rely exclusively on emails. So, what does this have to do with the election?
Attacks aimed at disrupting the election are usually run subtly, by using campaigns to bait victims into phishing scams. Recently, the presidential campaigns have tried to reach voters directly by sending SMS messages that ask if they’ve registered to vote or if they’re planning on supporting a candidate. Threat actors can easily mimic this strategy and include a malicious link in the message. We’ve seen a similar tactic used in an ongoing mobile phishing campaign that sends a message purporting to be a missed package delivery with a link to a fake claim page that is a mobile phishing attack.
There are now endless ways for attackers to socially engineer you to tap on a malicious link – from messaging apps and social-media platforms to dating apps. It also doesn’t help that mobile devices have smaller screens and a simplified user experience, which makes it hard to figure out what’s fake and what’s real.
This September, at least three TikTok profiles promoted multiple fraudulent mobile apps that generated nearly half a million dollars in total profit. Reportedly, these accounts socially engineered their followers into downloading malicious apps. While far less targeted than the social-engineering attacks we typically think of, the processes and goals are identical.
We have to remember that attackers are business people too. They target victims, and use methods they think will deliver the largest return. One of the big opportunities in 2020 is the U.S. presidential election, and the targets are mobile users. Tablets and smartphones have become an integral part of the way we work and play – and voting-season activity is no different. Political campaigns use them as vehicles to interact with voters. The public gets their information from their mobile devices. There have even been attempts to conduct local elections and primaries with mobile apps.
The increasing usage of mobile devices has numerous upsides, such as greater engagement and higher voter turnout. But this should only be happening if mobile security is part of the greater election-security plan. The Vote Joe app was a prime example of a campaign app that had significant security flaws. A bug was discovered in the app that allowed malicious actors to see a voter’s home address, date of birth, gender, ethnicity and party affiliation.
Not only did the sign-up process for Vote Joe lack basic email verification functions, but it also gave these unverified users access to a database of registered voter information. While the intent was to increase voter engagement, it ended up inappropriately exposing people’s private information.
Mobile security and cyber-hygiene are essential to keeping political campaigns and their data secure, and not just for the 2020 elections. The good news is that awareness of the election- and campaign-security challenges is increasing, and there are resources to assist. Organizations like Defending Digital Campaigns, a nonprofit with the goal of ensuring that campaigns are secure, offer free or low-cost security solutions and training to candidates. In addition to security measures, we also need to educate the general public about how mobile devices are prime targets for malicious actors.
In today’s technology-driven world, device security is a baseline to keep every aspect of our lives safe – whether it’s our company, our personal information or the integrity of our elections. By educating people to be vigilant and making cybersecurity an integral part of our electoral process, we will be better positioned to safeguard our democracy.
Hank Schless is senior manager for security solutions at Lookout.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.