Most of the largest US voting districts are vulnerable to email spoofing

Only 5% of the largest voting counties in the U.S. are protected against email impersonation and phishing attacks, seen as a key attack method by hackers who officials say want to disrupt the upcoming presidential election.

The findings come less than a year before millions of Americans are set to go to the polls to vote for the next U.S. commander-in-chief, amid fears that Russia is preparing to disrupt the upcoming presidential election with tactics to manipulate voters, as the U.S. intelligence community found in 2016. U.S. officials aren’t only concerned about the spread of foreign-led disinformation — or “fake news” — to try to alter the outcome of the tally, but also threats facing election infrastructure, like hackers breaking into election websites to dissuade or disenfranchise voters from casting their ballot — or even stealing voter data.

Researchers at Valimail, which has a commercial stake in the email security space, looked at the largest three electoral districts in each U.S. state, and found only 10 out of 187 domains were protected with DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects fraudulent or spoofed emails.

DMARC, when enabled and properly enforced, rejects fake emails that hackers design to spoof a genuine email address by sending to spam or bouncing it from the target’s inbox altogether. Hackers often use spoofed emails to try to trick victims into opening malicious links from people they know.

But the research found that although DMARC is enabled on many domains, it’s not properly enforced, rendering its filtering efforts largely ineffective.

The researchers said 66% of the district election-related domains had no DMARC entry at all, while 28% had either a valid DMARC entry but no enforcement, or an invalid DMARC entry altogether.

That could be a problem for six swing states — Arizona, Florida, North Carolina, Pennsylvania, Michigan and Wisconsin — where their largest districts are not protected from impersonation attacks. These states are critical to both Democrats and Republicans, as their historically razor thin majorities have allowed either parties’ candidates to win.

The worry is that attackers could use the lack of DMARC to impersonate legitimate email addresses to send targeted phishing or malware in order to gain a foothold on election networks or launch attacks, steal data or delete it altogether, a move that would potentially disrupt the democratic process.

“It does not require a stretch to imagine attackers impersonating election officials via spoofed domains in order to spread disinformation, conduct voter misdirection or voter-suppression campaigns, or even to inject malware into government networks,” said Valimail’s Seth Blank, who authored the research.

“DMARC at enforcement is a crucial best practice for stopping the largest attack vector into any organization,” said Blank.

“It’s time to get it done,” he said.