Beware Election-Themed E-Mail Attacks, Says Hacking Specialist

(Bloomberg) -- Heading toward Election Day in the U.S., hackers may target your inbox instead of the ballot box.

It’s difficult to alter overall ballot counts in the U.S., which doesn’t have a centralized voting system, but hackers could take advantage of the Nov. 8 election to dupe people and gain access to their personal information, according to Oren Falkowitz, chief executive officer of Redwood City, California-based Area 1 Security.

Hackers regularly capitalize on world events from the G-20 summit to the Super Bowl to craft phishing campaigns that let them access computer networks, he said.

“People should expect that the theme of the election will be used as a lure -- whether it’s to influence the election or not,” Falkowitz, a former National Security Agency analyst and director of technology and data science programs at U.S. Cyber Command, said in a Thursday interview. "It’s part of the dynamic that people are going to use to gain access and to cause harm.”

With U.S. voters getting deluged with campaign and election-related e-mails -- not to mention pre-recorded phone calls and mailers -- many may have their guard down when it comes to clicking on a link or attachment that deploys malware or gets users to enter their login credentials.

Clinton Campaign

The high-profile release of hacked personal e-mails from political figures such as former Secretary of State Colin Powell and Hillary Clinton’s campaign Chairman John Podesta are part of this pattern, said Falkowitz, adding that his company saw phishing attacks linked to Hurricane Matthew in Florida.

His company sells technology to prevent phishing, in which hackers typically obtain confidential information by sending an e-mail that looks legitimate and includes a link to a website that mimics the real one, or contains an attachment with malware.

In terms of the actual vote, hackers could create confusion or meddle with turnout with false information about changes to precinct locations. They could also target political campaigns or media organizations with polling claims. Still, the “vast majority being victimized are private citizens,” he said.

“You might see as an example, something like, ‘Click here to get a free bus ride to the polling station,”’ or “‘Hey go to this precinct, or hey, don’t go to this precinct,”’ he said.

Russian Role

The threat of cyber breaches in this election cycle was heightened following the release of e-mails hacked from the Democratic National Committee on the eve of Hillary Clinton’s formal nomination as the party’s presidential candidate. On Oct. 7, U.S. intelligence officials said publicly for the first time that intelligence agencies are “confident that the Russian government directed” the hacking and subsequent disclosures “to interfere with the U.S. election process.” Russia has rejected the accusations.

Wary of the cyber threat, U.S. officials are weighing whether to designate elections as national critical infrastructure, a move that would open up federal assistance to election officers around the country, Homeland Security Secretary Jeh Johnson said earlier this year. To date, 40 U.S. states and 27 county or local election agencies have requested help from Homeland Security to ensure voting systems are secure.

DHS’s major concern isn’t necessarily a hacker changing ballots on Election Day, but an actor stirring up enough confusion in the "election infrastructure" as to undermine public confidence in the vote, according to a DHS official who asked not to be identified because the information isn’t public.

“There will be a lot of phishing around election themes,” Falkowitz said. “That is an area where these cities and states really can be doing more to let people know to be proactive.”

--With assistance from Chris Strohm To contact the reporter on this story: Nafeesa Syeed in Washington at nsyeed@bloomberg.net. To contact the editors responsible for this story: Bill Faries at wfaries@bloomberg.net, Justin Blum