The Democratic National Committee (DNC) has taken down a highly convincing phishing log-in page which appears to have been designed to give attackers access to the party’s voter database.
The page was discovered by Lookout Security’s AI-based phishing detection engine very early on in its lifecycle, most likely before attackers had a chance to send out related phishing messages to their targets.
It mimicked a log-in page for tech provider NGP VAN, used primarily by the DNC, which was hosted on DigitalOcean cloud infrastructure.
A DNC source told CNN that the site was intended to give the phishers access to a service called Votebuilder which hosts the party’s voter database.
Those involved co-ordinated a swift takedown of the page and informed the FBI.
“These threats are serious and that's why it's critical that we all work together, but we can't do this alone. We need the [Trump] administration to take more aggressive steps to protect our voting systems. It is their responsibility to protect our democracy from these types of attacks," said DNC chief security officer Bob Lord in a statement.
Although the timing of the attack could be a coincidence, it comes in the highly charged run up to the mid-term elections, where a Democratic Party majority in the lower house could pave the way for impeachment proceedings against President Trump.
While there’s no suggestion the Kremlin is behind this phishing attempt it certainly fits the modus operandi of state-sponsored groups like APT28, which famously spear-phished the DNC in the run-up to the 2016 presidential election, publishing sensitive emails in a bid to alienate Hillary Clinton voters.
Ross Rustici, senior director of intelligence services at Cybereason, argued that access to the DNC database would be useful for domestic partisan opposition and foreign intelligence and counterintelligence purposes.
“This type of prep work by hackers is likely to continue, and it is a good sign that these websites are being detected before they appear to be in use,” he added. “The efficacy of this type of credential theft is greatly mitigated by use of two-factor authentication and other identity management tools."
Lookout Security vice-president of security intelligence, Mike Murray, claimed that the new dynamics of running modern enterprises have created a “fertile ground” for more sophisticated phishing attacks.
“Where as organizations used to only have to protect against email-based phishing attacks, modern phishing attacks now occur through a variety of means: email, SMS, extended SMS messengers like Apple Messages, Google Hangouts, WhatsApp, WeChat, and social media sites like Facebook, LinkedIn, etc,” he argued.
“In many cases, mobile devices do not allow individuals to inspect links before clicking them. Additionally, these devices are constantly in motion from Wi-Fi to mobile networks, leaving the devices often unprotected and outside the organization’s security perimeter.”
The news comes after Microsoft this week claimed to have taken down six phishing domains said to have been run by the Russian APT28 group.