Only a few 2020 US presidential candidates are using a basic email security feature

Just one-third of the 2020 U.S. presidential candidates are using an email security feature that could prevent a similar attack that hobbled the Democrats’ during the 2016 election.

Out of the 21 presidential candidates in the race according to Reuters, seven Democrats and one Republican candidate are using and enforcing DMARC, an email security protocol that verifies the authenticity of a sender’s email and rejects spoofed emails, which hackers often use to try to trick victims into opening malicious links from seemingly known individuals.

It’s a marked increase from April, where only Elizabeth Warren’s campaign had employed the technology. Now, the Democratic campaigns of Joe Biden, Kamala Harris, Michael Bloomberg, Amy Klobuchar, Cory Booker, Tulsi Gabbard, and Republican candidate Steve Bullock have all improved their email security.

The remaining candidates, including presidential incumbent Donald Trump, are not rejecting spoofed emails. Another seven candidates are not using DMARC at all.

That, experts say, puts their campaigns at risk from foreign influence campaigns and cyberattacks.

“When a campaign doesn’t have the basics in place, they are leaving their front door unlocked,” said Armen Najarian, chief identity officer at Agari, an email security company. “Campaigns have to have both email authentication set at an enforcement policy of reject and advanced email security in place to be protected against socially-engineered covert attacks,” he said.

Green indicates a reject/quarantine policy, while yellow indicates a non-enforced policy. (Image: TechCrunch)

DMARC, which is free and fairly easy to implement, can prevent attackers from impersonating a candidate’s campaign but also prevent the same kind of targeted phishing attacks against the candidate’s network that resulted in the breach and theft of thousands of emails from the Democrats.

In the run-up to the 2016 presidential election, Russian hackers sent an email to Hillary Clinton campaign manager John Podesta, posing as a Google security warning. The phishing email, which was published by WikiLeaks along the rest of the email cache, tricked Podesta into clicking a link that took over his account, allowing hackers to steal tens of thousands of private emails.

A properly enforced DMARC policy would have rejected the phishing email from Podesta’s inbox altogether, though DMARC does not protect against every kind of highly sophisticated cyberattack. The breach was bruising for the Democrats, one that led to high-profile resignations and harmed public perceptions of the Clinton presidential campaign — one she ultimately lost.

“It’s perplexing that the campaigns are not aggressively jumping on this issue,” said Najarian.

Startups face the same phishing risks as big corporations

This week, we reported on TechCrunch how thousands of remote employees with health and workplace benefits through human resources giant TriNet received emails that looked like a near-perfect phishing attempt.

One recipient was so skeptical, they shared the email with TechCrunch so we could verify its authenticity. The message checked every suspicious box. In fact, when, we asked two independent security researchers to offer their assessments, each one thought it was a phishing email devised to steal usernames and passwords.

The fact that there was confusion to begin with shows that even gigantic companies like TriNet — a $3.7 billion corporation — are not doing enough to prevent phishing attacks. Had they proactively employed basic email security techniques, it would have been a lot easier to detect that the email was not in fact a phish, but a genuine company email.

But this problem isn’t unique to TriNet; it’s not even unique to big companies.

Last year, security firm Agari found only 14% of all Fortune 500 companies were using DMARC, a domain security feature that prevents email spoofing and actively enforces it. New data supplied by Agari to TechCrunch shows that figure has risen only one percentage point in the last year, bringing it to a meager 15%.

Phishing and impersonation are fundamentally human problems. The aim is to try to trick unsuspecting victims into turning over their usernames, email addresses and passwords to hackers who then log in and steal data or money. In some cases, scammers use an email impersonation scam to trick employees into thinking someone senior in the company needs certain sensitive files like banking information or employee tax documents.

TriNet sent remote workers an email that some thought was a phishing attack

It was the one of the best phishing emails we’ve seen… that wasn’t.

Phishing remains one of the most popular attack choices for scammers. Phishing emails are designed to impersonate companies or executives to trick users into turning over sensitive information, typically usernames and passwords, so that scammers can log into online services and steal money or data. But detecting and preventing phishing isn’t just a user problem — it’s a corporate problem too, especially when companies don’t take basic cybersecurity precautions and best practices to hinder scammers from ever getting into a user’s inbox.

Enter TriNet, a human resources giant, which this week became the poster child for how how to make a genuine email to its customers look inadvertently as suspicious as it gets.

Remote employees at companies across the U.S. who rely on TriNet for access to outsourced human resources, like their healthcare benefits and workplace policies, were sent an email this week as part of an effort to keep employees “informed and up-to-date on the labor and employment laws that affect you.”

Workers at one Los Angeles-based health startup that manages its employee benefits through TriNet all got the email at the same time. But one employee wasn’t convinced it was a real email, and forwarded it — and its source code — to TechCrunch.

TriNet is one of the largest outsourced human resources providers in the United States, primarily for small-to-medium-sized businesses that may not have the funding to hire dedicated human resources staff. And this time of year is critical for companies that rely on TriNet, since health insurance plans are entering open enrollment and tax season is only a few weeks away. With benefit changes to consider, it’s not unusual for employees to receive a rash of TriNet-related emails towards the end of the year.

But this email didn’t look right. In fact when we looked under the hood of the email, everything about it looked suspicious.

This is the email that remote workers received. TriNet said the use of an Imgur-hosted image in the email was “mistakenly” used. (Image: TechCrunch/supplied)

We looked at the source code of the email, including its headers. These email headers are like an envelope — they say where an email came from, who it’s addressed to, how it was routed, and if there were any complications along the way, such as being marked as spam.

There were more red flags than we could count.

Chief among the issues were that the TriNet logo in the email was hosted on Imgur, a free image-hosting and meme-sharing site, and not the company’s own website. That’s a common technique among phishing attackers — they use Imgur to host images they use in their spam emails to avoid detection. Since the image was uploaded in July, that logo was viewed more than 70,000 times until we reached out to TriNet, which removed the image, suggesting thousands of TriNet customers had received one of these emails. And, although the email contained a link to a TriNet website, the page that loaded had an entirely different domain with nothing on it to suggest it was a real TriNet-authorized site besides a logo, which if it were a phishing site could’ve been easily spoofed.

Fearing that somehow scammers had sent out a phishing email to potentially thousands of TriNet customers, we reached out to security researcher John Wethington, founder of security firm Condition:Black, to examine the email.

It turns out he was just as convinced as us that the email may have been fake.

“As hackers and self-proclaimed social engineers, we often think that spotting a phishing email is ‘easy’,” said Wethington. “The truth is it’s hard.”

“When we first examined the email every alarm bell was going off. The deeper we dug into it the more confusing things became. We looked at the domain name records, the site’s source code, and even the webpage hashes,” he said.

There was nothing, he said, that gave us “100% confidence” that the site was genuine until we contacted TriNet.

TriNet spokesperson Renee Brotherton confirmed to TechCrunch that the email campaign was legitimate, and that it uses the third-party site “for our compliance ePoster service offering. She added: “The Imgur image you reference is an image of the TriNet logo that Poster Elite mistakenly pointed to and it has since been removed.”

“The email you referenced was sent to all employees who do not go into an employer’s physical workspace to ensure their access to required notices,” said TriNet’s spokesperson.

When reached, Poster Elite also confirmed the email was legitimate.

This is not a phishing site, but it sure looks like one. (Image: TechCrunch)

How did TriNet get this so wrong? This culmination of errors had some who received the email worried that their information might have been breached.

“When companies communicate with customers in ways that are similar to the way scammers communicate, it can weaken their customer’s ability over time to spot and shut down security threats in future communications,” said Rachel Tobac, a hacker, social engineer, and founder of SocialProof Security.

Tobac pointed to two examples of where TriNet got it wrong. First, it’s easy for hackers to send spoofed emails to TriNet’s workers because TriNet’s DMARC policy on its domain name is not enforced.

Second, the inconsistent use of domain names is confusing for the user. TriNet confirmed that it pointed the link in the email — posters.trinet.com — to eposterservice.com, which hosts the company’s compliance posters for remote workers. TriNet thought that forwarding the domain would suffice, but instead we thought someone had hijacked TriNet’s domain name settings — a type of attack that’s on the increase, though primarily carried out by state actors. TriNet is a huge target — it stores workers’ benefits, pay details, tax information and more. We had assumed the worst.

“This is similar to an issue we see with banking fraud phone communications,” said Tobac. “Spammers call bank customers, spoof the bank’s number, and pose as the bank to get customers to give account details to ‘verify their account’ before ‘hearing about the fraud the bank noticed on their account — which, of course, is an attack,” she said.

“This is surprisingly exactly what the legitimate phone call sounds like when the bank is truly calling to verify fraudulent transactions,” Tobac said.

Wethington noted that other suspicious indicators were all techniques used by scammers in phishing attacks. The posters.trinet.com subdomain used in the email was only set up a few weeks ago, and the eposterservice.com domain it pointed to used an HTTPS certificate that wasn’t associated with either TriNet or Poster Elite.

These all point to one overarching problem. TriNet may have sent out a legitimate email but everything about it looked problematic.

On one hand, being vigilant about incoming emails is a good thing. And while it’s a cat-and-mouse game to evade phishing attacks, there are things that companies can do to proactively protect themselves and their customers from scams and phishing attacks. And yet TriNet failed in almost every way by opening itself up to attacks by not employing these basic security measures.

“It’s hard to distinguish the good from the bad even with proper training, and when in doubt I recommend you throw it out,” said Wethington.

Facebook sues OnlineNIC for domain name fraud associated with malicious activity

Facebook today announced it has filed suit in California against domain registrar OnlineNIC and its proxy service ID Shield for registering domain names that pretend to be associated with Facebook, like www-facebook-login.com or facebook-mails.com, for example. Facebook says these domains are intentionally designed to mislead and confuse end users, who believe they’re interacting with Facebook.

These fake domains are also often associated with malicious activity, like phishing.

While some who register such domains hope to eventually sell them back to Facebook at a marked-up price, earning a profit, others have worse intentions. And with the launch of Facebook’s own cryptocurrency, Libra, a number of new domain cybersquatters have emerged. Facebook was recently able to take down some of these, like facebooktoken.org and ico-facebook.org, one of which had already started collecting personal information from visitors by falsely touting a Facebook ICO.

Facebooks’ new lawsuit, however, focuses specifically on OnlineNIC, which Facebook says has a history of allowing cybersquatters to register domains with its privacy/proxy service, ID Shield. The suit alleges that the registered domains, like hackingfacebook.net, are being used for malicious activity, including “phishing and hosting websites that purported to sell hacking tools.”

The suit also references some 20 other domain names that are confusingly similar to Facebook and Instagram trademarks, it says.

Screen Shot 2019 10 31 at 1.27.38 PM

OnlineNIC has been sued before for allowing this sort of activity, including by Verizon, Yahoo, Microsoft and others. In the case of Verizon (disclosure: TechCrunch parent), OnlineNIC was found liable for registering more than 600 domain names similar to Verizon’s trademark, and the courts awarded $33.15 million in damages as a result, Facebook’s filing states.

Facebook is asking for a permanent injunction against OnlineNIC’s activity, as well as damages.

The company says it took this issue to the courts because OnlineNIC has not been responsive to its concerns. Facebook today proactively reports instances of abuse with domain name registrars and their privacy/proxy services, and often works with them to take down malicious domains. But the issue is widespread — there are tens of millions of domain names registered through these services today. Some of these businesses are not reputable, however. Some, like OnlineNIC, will not investigate or even respond to Facebook’s abuse reports.

The news of the lawsuit was previously reported by Cnet and other domain name news sources, based on courthouse filings.

Attorney David J. Steele, who previously won the $33 million judgement for Verizon, is representing Facebook in the case.

“By mentioning our apps and services in the domain names, OnlineNIC and ID Shield intended to make them appear legitimate and confuse people. This activity is known as cybersquatting and OnlineNIC has a history of this behavior,” writes Facebook, in an announcement. “This lawsuit is one more step in our ongoing efforts to protect people’s safety and privacy,” it says.

OnlineNIC has been asked for comment and we’ll update if it responds.

Google updates its Titan security keys with USB-C

Google has revealed its latest Titan security key — and it’s now compatible with USB-C devices.

The latest Titan key arrives just weeks after its closest market rival Yubico — which also manufactures the Titan security key for Google — released its own USB-C and Lightning-compatible key, but almost two years after the release its dedicated USB-C key.

These security keys offer near-unbeatable security against a variety of threats to your online accounts, from phishing to nation-state attackers. When you want to log in to one of your accounts, you plug in the key to your device and it authenticates you. Most people don’t need a security key, but they are available for particularly high-risk users, like journalists, politicians and activists, who are frequently targeted by hostile nation states.

By Google’s own data, security keys are far stronger than other options, like a text message sent to your phone.

Many companies, like Coinbase, Dropbox, Facebook, Twitter and Google, support the use of security keys. But although the list of supported companies is not vast, it continues to grow as security key usage increases.

Google said its newest key will be available from October 15 for $40.

Microsoft says Iranian hackers targeted a 2020 presidential candidate

Microsoft said it has found evidence that hackers associated with Iran have targeted a 2020 presidential candidate.

The tech giant’s security and trust chief confirmed the attack in a blog post, but the company would not say which candidate was the target.

The threat group, which Microsoft calls Phosphorous — also known as APT 35 — made more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers. These accounts, he said, are “associated” with a presidential campaign, current and former U.S. government officials, journalists and prominent Iranians living outside the country.

“Four accounts were compromised as a result of these attempts; these four accounts were not associated with the U.S. presidential campaign or current and former U.S. government officials,” said Tom Burt, Microsoft’s vice president of customer security and trust.

The attacks happened between August and September, said Burt.

The threat group tried to obtain access to secondary email accounts linked to a Microsoft account, which they would use as a way to break into the account, he said.

Some attacks involved gathering and targeting user phone numbers.

Burt said the attacks were “not technically sophisticated” but attempted to use a “significant amount of personal information” both to identify and attack the accounts.

This isn’t the first time Phosphorous has appeared on Microsoft’s radar. The tech giant sued the threat group, believed to be backed by Tehran, earlier this year to take control of several domains used by the hackers to launch watering hole attacks. The hacker group is also believed to be linked to former U.S. Air Force counter-intelligence officer Monica Witt, who defected to Tehran in 2013 and is now wanted by the FBI for alleged espionage.

In previous campaigns, the hackers have targeted academics and journalists with spearphishing campaigns designed to look like Yahoo and Google login pages but can defeat two-factor authentication.

Microsoft said it’s made more than 800 notifications of attempted state-backed attacks against users who are protected by the tech giant’s account monitoring service aimed at political campaigns.

Justice Department indicts 80 individuals in massive business email scam bust

The Justice Department have indicted dozens of individuals accused of involvement in a massive business email scam and money laundering scheme.

News of the early-morning raids were first reported by ABC7 in Los Angeles.

Thom Mrozek, a spokesperson for the U.S. Attorneys Office for the Central District of California, confirmed more than a dozen individuals had been arrested during the raids on Thursday — mostly in the Los Angeles area. A total of 80 defendants are allegedly involved in the scheme.

The 145-page indictment, unsealed Thursday, said the 80 named individuals are charged with conspiracy to commit mail and bank fraud, as well as aggravated identity theft and money laundering.

Most of the individuals are based in Nigeria, said the spokesperson.

It’s not immediately known if the Nigerian nationals will be extradited to the U.S., however a treaty exists between the two nations making extraditions possible.

U.S. Attorney Nicola Hanna is expected to issue a statement shortly.

These business email compromise scams rely partly on deception and in some cases hacking. Scammers send specially crafted spearphishing emails to their targets in order to trick them into turning over sensitive information about the company, such as sending employee W-2 tax documents so scammers can generate fraudulent refunds, or tricking an employee into making wire transfers to bank accounts controlled by the scammers. More often than not, the scammers use spoofing techniques to impersonate a senior executive over email to trick the unsuspecting victim, or hack into the email account of the person they are impersonating.

The FBI says these impersonation attacks have cost consumers and businesses more than $3 billion since 2015.

The alleged fraudsters are accused of carrying out several hundred “overt” acts of fraud against over a dozen victims, generating millions of dollars worth of fraud over several months. In some cases the fraudsters would hack into the email accounts of the person they were trying to impersonate to try to trick a victim into wiring money from a business into the fraudster’s bank account.

Several bank accounts run by the fraudsters contained over $30 million in stolen funds.

Developing… more soon.

StockX admits ‘suspicious activity’ led to resetting passwords without warning

StockX, a popular site for buying and selling sneakers and other apparel, has admitted it reset customer passwords after it was “alerted to suspicious activity” on its site, despite telling users it was a result of “system updates.”

“We recently completed system updates on the StockX platform,” said the email to customers sent to TechCrunch on Thursday. The email provided a link to a password reset page but said nothing more.

The company was only last month valued at over $1 billion after a $110 million fundraise.

Companies reset passwords all the time for various reasons. Some security teams obtain lists of previously breached passwords that make their way online, scramble them in the same format that the company stores passwords, and find matches. By triggering the reset, it prevents passwords stolen from other sites from being used against one of a company’s own customers. In less than desirable circumstances, passwords are reset following a data breach.

But the company admitted it was not “system updates” as it had told its customers.

“StockX was recently alerted to suspicious activity potentially involving our platform,” said StockX spokesperson Katy Cockrel. “Out of an abundance of caution, we implemented a security update and proactively asked our community to update their account passwords.”

“We are continuing to investigate,” said the spokesperson.

egOZmJK 1

The password reset email sent by StockX on Thursday (Image: supplied)

We asked several follow-up questions — including who alerted StockX to the suspicious activity, if any customer data was compromised and why it misrepresented the reason for the password reset. We’ll have more when we know it.

Throughout the day customers were tweeting screenshots of the email, worried that their accounts had been compromised. Others questioned whether the email was genuine or if it was part of a phishing attack.

“Did they get hacked, find out somehow, and then to cover it up send out that email and ask for a password change?,” one of the affected customers told TechCrunch.

Customers were given no prior warning of the password reset.

StockX founder Josh Luber kept with the company’s line, telling a customer in a tweet that the password reset was “legit” but did not respond to users asking why.

StockX tweeted back to several customers with a boilerplate response: “The password reset email you received is legitimate and came from our team,” and to contact the support email with any questions. We did just that — from our TechCrunch email address — and heard nothing back hours later.

Security experts expressed doubt that a company would reset passwords over a “systems update” as StockX had claimed.

Security researcher John Wethington said it is “rare” to see security overhauls that require password resets. “You wouldn’t just send out a random email about it,” he said. Jake Williams, founder of Rendition Infosec, said it was “bad communication” in any case.

Several took to Twitter to criticize StockX for its handling of the password reset.

One customer called the email “fishy,” another called it “suspicious” and another called on the company to explain why they had to reset passwords in this unorthodox way. Another said in a tweet that he asked StockX twice but they “refused to provide an answer.”

“Guess I’m closing my account,” he said.

Read more:
Slack resets user passwords after 2015 data breach
Capital One breach also hit other major companies, say researchers
An exposed password let a hacker access internal Comodo files
Security lapse exposed weak points on Honda’s internal network
Cryptocurrency loan site YouHodler exposed unencrypted user credit cards and transactions

Google’s Titan security keys come to Japan, Canada, France and the UK

Google today announced that its Titan Security Key kits are now available in Canada, France, Japan and the UK. Until now, these keys, which come in a kit with a Bluetooth key and a standard USB-A dongle, were only available in the U.S.

The keys provide an extra layer of security on top of your regular login credentials. They provide a second authentication factor to keep your account safe and replace more low-tech two-factor authentication systems like authentication apps or SMS messages. When you use those methods, you still have to type the code into a form, after all. That’s all good and well until you end up on a well-designed phishing page. Then, somebody could easily intercept your code and quickly reuse it to breach your account — and getting a second factor over SMS isn’t exactly a great idea to begin with, but that’s a different story.

Authentication keys use a number of cryptographic techniques to ensure that you are on a legitimate site and aren’t being phished. All of this, of course, only works on sites that support hardware security keys, though that number continues to grow.

The launch of Google’s Titan keys came as a bit of a surprise, given that Google had long had a good relationship with Yubico and previously provided all of its employees with that company’s keys. The original batch of keys also featured a security bug in the Bluetooth key. That bug was hard to exploit, but nonetheless, Google offered free replacements to all Titan Key owners.

In the U.S., the Titan Key kit sells for $50. In Canada, it’ll go for $65 CAD. In France, it’ll be €55, while in the UK it’ll retail for £50 and in Japan for ¥6,000. Free delivery is included.

 

Bellingcat journalists targeted by failed phishing attempt

Investigative news site Bellingcat has confirmed several of its staff were targeted by an attempted phishing attack on their ProtonMail accounts, which the journalists and the email provider say failed.

“Yet again, Bellingcat finds itself targeted by cyber attacks, almost certainly linked to our work on Russia,” wrote Eliot Higgins, founder of the investigative news site in a tweet. “I guess one way to measure our impact is how frequently agents of the Russian Federation try to attack it, be it their hackers, trolls, or media.”

News emerged that a small number of ProtonMail email accounts were targeted this week — several of which belonged to Bellingcat’s researchers who work on projects related to activities by the Russian government. A phishing email purportedly from ProtonMail itself asked users to change their email account passwords or generate new encryption keys through a similarly-named domain set up by the attackers. Records show the fake site was registered anonymously, according to an analysis by security researchers.

In a statement, ProtonMail said the phishing attacks “did not succeed” and denied that its systems or user accounts had been hacked or compromised.

“The most practical way to obtain email data from a ProtonMail user’s inbox is by compromising the user, as opposed to trying to compromise the service itself,” said ProtonMail’s chief executive Andy Yen. “For this reason, the attackers opted for a phishing campaign that targeted the journalists directly.”

Yen said the attackers tried to exploit an unpatched flaw in third-party software used by ProtonMail, which has yet to be fixed or disclosed by the software maker.

“This vulnerability, however, is not widely known and indicates a higher level of sophistication on the part of the attackers,” said Yen.

It’s not known conclusively who was behind the attack. However, both Bellingcat and ProtonMail said they believe certain tactics and indicators of the attack may point to hackers associated with the Russian government. For instance, the attack’s targets were Bellingcat’s researchers working on the ongoing investigation into the downing of flight MH17 by Russian forces and the use of a nerve agent in a targeted killing in the U.K.

Higgins said in a tweet that this week’s attempted attack likely targeted “in the tens” of people unlike earlier attacks attributed to the Russian government-backed hacker group, known as APT 28 or Fancy Bear.

Bellingcat in the past year has gained critical acclaim for its investigations into the Russian government, uncovering the names of the alleged Russian operatives behind the suspected missile attack that blew up Malaysian airliner MH17 in 2014. The research team also discovered the names of the Russian operatives who were since accused of poisoning former Russian intelligence agent Sergei Skripal and his daughter Yulia in a nerve agent attack in Salisbury, U.K. in 2018.

The researchers use open-source intelligence and information gathering where police, law enforcement and intelligence agencies often fail.

It’s not the first time that hackers have targeted Bellingcat. Its researchers were targeted several times in 2016 and 2017 following the breach on the Democratic National Committee which saw thousands of internal emails stolen and published online.

A phone call to the Russian consulate in New York requesting comment was not returned.