New research, released today by Agari, reveals that despite the recent high-profile nation-state sponsored email attacks on political parties during elections, none of political parties in the UK, Germany and Norway, all of whom have upcoming elections, have email authentication or protection against spear phishing in place. 8% have published an email authentication policy but left the door wide open by setting their policy to “none”, which will not stop malicious emails from reaching intended victims. This lack of security is leaving voters, supporters and the parties themselves wide open to targeted email attacks using identity deception and social engineering methods.
As demonstrated in the past 12 months with the attacks on the En Marche! party in the French Presidential elections and on the Democratic National Committee (DNC) during the U.S. presidential elections, an email attack that results in leaks of sensitive data can deter from a free and fair election and, ultimately, impact the results.
To negate this risk, organisations should implement email authentication with a “reject” policy using the open standard DMARC. This prevents impostors from using the domains of the political parties to deceive internal campaign staffers, volunteers and the public. The combination of these two security defences would have prevented both the U.S. DNC compromise and the French En Marche! attack.
DMARC (Domain-based Message Authentication, Reporting and Conformance) is an open security standard that is designed to detect and prevent identity deception by enabling ISPs (Internet Service Providers) and any organisations receiving emails to check that incoming mail is authenticated. T However, in order for it to work, the political parties in Europe need to publish a DMARC “reject” policy, which none of them has done to date.
When examining the main political parties of UK, Germany and Norway, only the UK Liberal Democrats and the UK Green Party have put a DMARC “none” policy record in place. While this is a good start and shows they have the intent to protect themselves and the public, it is not yet sufficient to provide any protection. To block spoofing, these organisations need to take the steps to move to DMARC “quarantine” or preferably “reject”, to put unauthenticated messages in the SPAM folder or block them outright. DMARC policies are publicly available through DNS records and you can look up any political party’s policy here.
Dr Markus Jakobsson, Chief Scientist at Agari, comments: “This is a disaster waiting to happen. It appears that in spite of the now infamous email attacks that have blighted two elections in recent months, political parties are still showing no signs of even acknowledging that they need email protection. DMARC allows organisations to make it impossible to spoof their email domains. In the absence of a DMARC policy and protection against identity deception, anybody can write an email that appears to come from an unprotected organisation and have it delivered to the unwitting victim-to-be.”
“Take the Macron attack last month, where there were several email accounts associated with Macron’s campaign that were compromised in a spear phishing attack – none had a DMARC policy that would have defended against spoofing. As we head into the next election campaigns, only two UK political parties have a DMARC policy, but neither has it configured to block malicious traffic.”
“Moreover, most organisations, including political parties, use antiquated inbound email filters, with no protection against identity deception. If an organisation simply uses a spam filter, all they avoid is getting unwanted Viagra advertisements — they have no protection against phishing emails. Similarly, and sadly, even those that do have phishing filters only have partial protection, since traditional phishing filters rely on the blacklist paradigm, which is not applicable to spear phishing attacks. It is vital for political organisations to recognise the risks they are taking by not addressing this problem.”
In order to prevent these cyberattacks and preserve free and fair elections, Agari is offering the Agari Email Trust Platform and its email security expertise free of charge to political parties in the run-up to the UK, German and Norwegian elections in 2017. Agari has visibility into 70% of global inboxes, including the John Podesta and Macron campaign staff gmail accounts that were targeted in the U.S. and French elections.
Jakobsson concludes: “Enterprises have, increasingly, woken up to the threat they are facing and are starting to deploy the appropriate security countermeasures. It is time for political parties to recognise what is at stake and do the same.”
The Agari Email Trust Platform verifies trusted email identities based on insight into 10 Billion emails per day to stop advanced email threats that use identity deception. Agari protects the inboxes of the world’s largest organisations from the number one cyber security threat of advanced email attacks including phishing, spear phishing and business email compromise.