• On CBSNews.com: Weigh in on 60 Min/Vanity Fair Poll

Surveillance State

Read all 'political phishing' posts in Surveillance State
January 31, 2008 7:03 AM PST

Google, PayPal introduce political-phishing defenses

by Chris Soghoian
  • 1 comment

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

Google Checkout for Political Contributions

(Credit: Google)

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a number of reasons:

  • The various campaigns use completely inconsistent naming schemes for their domains. Users have no way of knowing if they should go to Hillaryclinton.com or Hillary.com, Rudygiuliani.com or Joinrudy2008.com.
  • Politicians were nice enough to exempt themselves from antispam laws. An online store cannot send out unsolicited e-mail and ask you to buy their products, but politicians can send out hundreds of thousands of e-mails asking people to donate money.
  • While online banks have gone to great lengths to educate their users about the dangers of clicking on links in e-mails, the campaigns all encourage this dangerous behavior. At the end of e-mail messages describing the threat posed by the opposite party, potential donors are asked to click and donate.
  • Campaign contributions don't result in the sale of a physical good. If a phisher pretends to be Amazon.com and tricks a user into entering his or her credit card number, there is a good chance that the victim will figure it out when her book never shows up. However, once a donor has given money using a legitimate campaign Web site, the only thing they will ever receive is a thank-you e-mail, which can easily be spoofed by a phisher.

In our research paper, we suggested that Google and PayPal begin to offer online-campaign contribution systems. The two companies have already spent millions of dollars in establishing trusted brands--enough that millions of users entrust the firms with their credit card details and other personal information, both have Web site names that users can remember, and the two companies have well-staffed security teams that can respond in real time to phishing threats.

A couple weeks ago, PayPal launched its "PayPal Kit for Non-Profits" product. Similarly, Google recently announced a form of Google Checkout specifically designed for political campaigns.

I'm not going to claim credit for inspiring these product deployments, as I'm sure that the legal complexities in designing a campaign contribution system are significant enough that the firms were working on the products long before my colleagues and I published our paper. However, it is nice to see that we successfully predicted the future.

Both sites pitch their products as ways for campaigns to increase the amount of money that is donated and a way to increase the number of potential people who will give. The massive security benefits to donors and the campaigns (in terms of reputation damage in the event that a phishing attack occurs) is glossed over.

The introduction of these products is a great first step. However, the millions of people who donate to campaign sites are not yet safe from phishing attacks.

First, the campaigns need to all ditch their own home-brew payment-processing solutions and switch to the exclusive use of either Google, PayPal, or both.

Second, the campaigns need to stop telling users to click on links in donation solicitation e-mails.

Third, the campaigns need to engage in user education and tell people that they should not give money through anything other than Google or PayPal.

With millions of dollars per week being raised online for the presidential campaigns, this is an area that is ripe for fraud and evil activity. While the phishers have thus far not targeted campaign sites, it is surely a matter of time before they do. However, if the campaigns are smart, and start taking advantage of the tools made available to them by trusted online-payment sites, they can do much to reduce the risk that phishers pose to the online-donation process.

It remains to be seen if the campaigns will actually be wise enough to embrace Google, PayPal, and others--or if they will allow their reputations and the confidence of online users to be trashed due to an inability to see future threats.

Disclosure: I interned with Google's security team in 2006 and have received $5,000 of fellowship money from Google and the Hispanic College Fund in both 2007 and 2008.

Topics:
Security,
Politics,
Phishing,
Google
Tags:
phishing,
political phishing,
Google,
PayPal,
eBay
Share:
Digg
Del.icio.us
Reddit
October 5, 2007 6:00 AM PDT

The threat of political phishing

by Chris Soghoian
  • Post a comment

Later today, I will be presenting as part of a panel on the subject of political phishing at the Anti-Phishing Working Group eCrime Researchers Summit.

During the panel discussion, I will be speaking about the threats to the online fundraising model used by political candidates in the United States. While attacks in the wild have yet to be seen, there are a number of factors which make online campaign giving particularly vulnerable to phishing attacks.

To go along with my talk, Professor Markus Jakobsson and I have released a white paper which clearly explains the issues, threats and a solution to the problem. The slides for my talk are also available online at www.politicalphishing.com.

Based on advice from legal counsel, I won't be including any of the screenshots and synthetic examples of political phishing sites in this blog post. This research needs to remain 100% non-commercial, and since I get paid for this blog, I don't want to be seen as profiting from this phishing project. I'll explain the problem of political phishing briefly here, but if you find the subject interesting, I urge you to go and read our technical report or at least look at the slides.


Hillary Clinton made headlines earlier this week when it was announced that she raised over $8 million through online donations in the third quarter of 2007. In the grand scheme of online political donations - this is a fairly small sum. After all, in 2004, John Kerry raised $3 million in a single day, and $5 million over a two day period. The reason that Hillary's financial haul is such a big story is that it is over a year before the presidential election, and she has yet to win the Democratic primary. Thus, I feel completely safe in predicting that the 2008 election will result in more online campaign donations than ever before.

The problem with this of course, is that where the money flows, fraudsters and criminals soon follow. While banks and other financial firms regularly urge their customers never to click on links contained in emails, political campaigns preach the opposite message. The regular flood of campaign emails in my inbox attests to the fact that politicians depend on you "acting now" - which usually either involves clicking on and filing out a petition, or donating funds. If Hillary Clinton's campaign (or Mitt Romney's , Fred Thompson's or any other candidate's campaign) can convince users to click on an email that arrives unsolicited in their inboxes, pull out their credit cards, and give money to a website that they have no real way of authenticating - then the phishers can too.

One of the main problems is that candidates use such inconsistent schemes when picking a domain name for their official website. A pop quiz: Should a potential donor visit joinrudy08.com, or rudygiuliani.com, barack.com or barackobama.com, fredthompson.com or fred08.com? If a user clicks on a web advertisement that takes them to hillary08.com, how can they be sure that they are at her official campaign website?

This little taste should be enough to at least explain the risks of political phishing. While 2008 will certainly be the biggest year of online fundraising, it may also be the year that political phishing becomes a serious issue. For more information on the subject, please read our white paper and check out our slides containing synthetic political phishing emails and websites. Both are located at www.politicalphishing.com. Would you be fooled?
Topics:
Law,
Security,
Politics,
Phishing
Tags:
phishing,
politicians,
political phishing
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

Five New Year's resolutions for Google

Stakes are high as Google attempts to maintain one of the Internet's greatest cash machines while pushing into new and risky markets.
• Android event set for Jan. 5

For eBay sellers, a holiday hamster hangover

The gift frenzy over Zhu Zhu Pets leaves some power sellers feeling like they've just run a marathon--but the steep price tags lead to some impressive profits.

About Surveillance State

Christopher Soghoian delves into the areas of security, privacy, technology policy and cyber-law. He is a student fellow at Harvard University's Berkman Center for Internet and Society, and is a PhD candidate at Indiana University's School of Informatics. His academic work and contact information can be found by visiting www.dubfire.net/chris/. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

Surveillance State topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET