Dnc becomes latest target in series of election-season attacks the first stop for security news threatpost

An unnamed Democratic source told CNN that the DNC was alerted on Tuesday to the presence of a spoofed log-in page designed to mimic Votebuilder – a platform used by Democratic Party officials and campaigns across the country to manage the Democratic registered voter database. The alarm was raised by security researchers at Lookout and a cloud provider, the source said, adding that the page was a very close facsimile of the service’s legitimate access page. Clearly, the site was designed to trick users into filling in their authentication details, which would arm the attackers with an open door into the database. Bad actors would likely have lured users to the spoofed site using targeted spear-phishing emails.

This is the latest in a series of influence and hacking attempts making use of false accounts or pages.


Earlier in the week, Microsoft said that, using legal authority, its Digital Crimes Unit (DCU) took down six websites allegedly built by the notorious Fancy Bear gang (a.k.a. Sofacy, Strontium or APT 28), a Russian intelligence-backed group that has been widely linked to the election meddling spotted ahead of the 2016 presidential election.

“Attackers want their attacks to look as realistic as possible and they therefore create websites and URLs that look like sites their targeted victims would expect to receive email from or visit,” said Microsoft president Brad Smith, in a blog post earlier this week. He added that the disruption is not a one-off event: Microsoft has shut down 84 fake websites in 12 court-approved actions over the past two years.

“First, to collect intelligence on targeted groups,” he said, via email. “Second, to spread misinformation in order to control and manipulate the liberal vs. conservative narrative. Third, to create and division among the targeted groups that can be exploited for political gain. And fourth, to collect personal information about political candidates and their constituents, which can be used later to spread malicious spread information.” Facebook Disrupts Influence Campaign

Facebook meanwhile said yesterday that it made a 652-page dent in a sizable alleged Iran-backed influence campaign that stretches back to 2017, with some pages in operation since 2013. Following up on a tip from FireEye, the social network continued its efforts to clean house on fake users, and removed a passel of pages, groups and accounts for “inauthentic behavior.” The accounts were active on both Facebook and Instagram, where the bad actors were using false social media personas to promote a mix of both original content, memes and news articles appropriated, and sometimes altered, from other sources.

“This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests,” FireEye researchers noted in an analysis yesterday. “These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific U.S. policies favorable to Iran, such as the U.S.-Iran nuclear deal (JCPOA).”

The perpetrators were seen creating “networks of accounts to mislead others about who they were and what they were doing,” according to Nathaniel Gleicher, head of cybersecurity policy at the social network. He said in a posting Tuesday that Facebook started with a fake group calling itself the “Liberty Front Press,” and from that one string unraveled a veritable sweater of influence campaigns, all going back to the Iranian government.

“We are able to link this network to Iranian state media through publicly available website registration information, as well as the use of related IP addresses and Facebook Pages sharing the same admins,” he noted. “For example, one part of the network, Quest 4 Truth, claims to be an independent Iranian media organization, but is in fact linked to Press TV, an English-language news network affiliated with Iranian state media….Accounts and pages linked to Liberty Front Press typically posed as news and civil society organizations sharing information in multiple countries without revealing their true identity.”

“Even when unsuccessful, these attacks—by Russian, Chinese, Iranian and North Korean intelligence services and their formal or informal networks of hackers—impose a cost on those targeted,” he said in a column yesterday. “They are a drain on staff and administrative resources and can have a chilling effect on your work, even when Microsoft has your back, as in our case.”

“It’s an ongoing challenge because the people responsible are determined and well-funded,” he said. “We constantly have to improve to stay ahead. That means building better technology, hiring more people and working more closely with law enforcement, security experts and other companies. Their collaboration was critical to our investigation since no one company can fight this on their own.”