Real and present danger: Spoofed political emails

Election Day is around the corner, but before we get there the road ahead is paved with frantic pleas for money. Some of them will be coming from cybercriminals in disguise.

The attacks are already being carried out, and as you read this, future ones are already being devised by phishers, identity thieves and hackers (some state-sponsored, others motivated by an easy payday). Unless you’re an avowed non-voter or avidly apathetic, you’ve been receiving a steady stream of email from political campaigns, candidates, constituents, political action committees, advocacy groups, and everything in between, communicating every stripe of election year request.

This is nothing new. Email campaigns have become an increasingly reliable way to raise money and rally the base. What’s new — or at least should be new in our daily routines — is the way we deal with these emails, specifically the unsubscribe link nestled in the small type at the bottom of political communications (the same goes for any email marketing).

Our email addresses can be easily targeted using our specific preferences — political or otherwise — and, yes, email messages can be totally fake, spoofed to look like they’re coming from a familiar source.

The unsubscribe link in the footer to that annoying email you just received could very well be a trap set by cybercriminals — the email spoofed as camouflage. With a steady barrage of emails, social engineers cast lures your way betting, for instance, that your average MAGA supporter will unsubscribe from spoofed emails pitching progressive candidates (and causes) and progressives will unsubscribe from a MAGA blast.

In reality, this simple ploy targets anyone trying to restore order to their inbox. The problem: Hit unsubscribe and you download malware.

CAN-SPAM

Unsubscribe links have been a legally mandated part of marketing emails in the United States since passage of the 2003 Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM.

The law requires commercial emails to include a return address and provide a way to opt out from emails. Violators are subject to fines in excess of $40,000 per email.

While this law sounds like a good idea — unwanted emails are irritating regardless your political affiliation or party — it unintentionally made possible the illusion of a “safe” link to click.

The problem is two-fold. First, if your email came from a disreputable source, clicking the unsubscribe link tells the sender that your address is valid and active. As such, it can be bundled into a list of “good” email addresses and sold to other marketers. Second, “opens” and other interactions with an email represent valuable stats on the sender side of things and are carefully measured. Here’s the treacherous part: If the email is attached to a work account, a single click can offer a wormhole into a company’s network and make it eminently hackable.

In keeping with ad-speak everywhere: But there’s more!

Clicking on a fake unsubscribe link could also enable a “drive-by download” where the link actually downloads malware to your computer. A recent data breach report from Verizon found that email was the delivery method for malware in 94 percent of recorded cases.

Political emails

If the CAN-SPAM Act provided an opportunity for hackers to deliver malware, election seasons provide the perfect cover. Email is a crucial tool for political campaigns. It allows candidates to both communicate directly with their base and solicit donations.

The market for email lists is robust in an election year. In February 2019, Excelsior Strategies paid the Trump campaign $548,107 for “list rental revenue.” During the 2020 primaries, Presidential candidate Joe Biden’s American Possibilities PAC paid $34,329 to two companies for “list acquisition” and Senator Amy Klobuchar spent over $625,000 for “list acquisition” from a consulting firm.

As lucrative email lists for donors are constantly re-compiled and re-packaged and the contacts on those lists repeatedly solicited, an increasing number of people have access to them, which may provide hackers with two bites at the apple. First, they’ve got a shot at stealing an email list and, second, they have plenty of information about us to trigger a click reaction.

While an unsolicited email from a business may seem suspicious, an unsolicited political email might look perfectly normal, or at least benign, making an unsubscribe click seem like the next right action — especially if it’s needed to make someone we don’t like or agree with go away.

The potential threat posed by malware-laden emails isn’t just theoretical. By studying election cycles in the United States and Germany, researchers from security firm Proofpoint found that cybercriminals pay close attention to political polls and tailor the messaging of their emails accordingly. More popular or visible candidates are more likely to be connected to fake and/or infected emails.

What can be done?

Instead of clicking on unsubscribe links in unwanted political emails, or even opening them, consider blocking the sender’s email, or marking the message as spam.

Bear in mind that even if you receive an email from a candidate you’ve supported in the past, there’s a potential risk of compromise, and both the information you seek about a campaign and the ability to donate time or money are more safely done on “official” websites that you get to via a search engine.

Adam K. Levin is chairman and founder of CyberScout (formerly IDT911) and co-founder of Credit.com. He is a former director of the New Jersey Division of Consumer Affairs and is the author of Swiped: How to Protect Yourself In a World Full of Scammers, Phishers, and Identity Thieves.