DNC officials and Lookout believed a spoofed site was built to harvest authentication details for the Democratic voter database.
A day after the Democratic National Committee riled up security researchers and the press, it’s walking back an assertion that there was an attempt to compromise its voter database.
Though it seemed like the event was the latest in a series of malicious efforts designed to harvest credentials belonging political targets or influence the electorate ahead of the November midterm elections–it turns out it was only a security test.
An unnamed Democratic source told CNN Wednesday that the DNC was alerted to the presence of a spoofed log-in page designed to mimic VoteBuilder – a platform used by Democratic Party officials and campaigns across the country to manage the Democratic registered voter database. The alarm was raised by security researchers at Lookout and a cloud provider, the source said, adding that the page was a very close facsimile of the service’s legitimate access page.
DNC officials and Lookout believed the site was a malicious one, designed to trick users into filling in their authentication details, which would arm the attackers with an open door into the database. Bad actors could have lured users to spoofed sites using targeted spear-phishing emails.
However, it all turns out to be a red herring.
The DNC uses a contractor, NGP VAN, to manage VoteBuilder. Bob Lord, chief security officer at the DNC, confirmed last night that the Michigan Democratic Party asked a third party to conduct a “simulated phishing test” on the voter database. The action was carried out without authorization from the DNC — which is why the action set off alarm bells for Lookout and DNC officials.
Lord also said that the DNC is subject to “constant attempts to hack the DNC and our Democratic infrastructure,” noting that vigilance is of the utmost importance — in other words, it’s better to err on the side of caution with situations like this.
Tod Beardsley, research director at Rapid7, noted that even though this wasn’t an active hack attempt, using mirror sites is a favored method for gaining unauthorized access to all kinds of systems, including those used by high-value political targets and networks across the private sector.
“This event [still] underscores the importance of staying vigilant when using an internet browser, especially if you’re an interesting person with access to interesting data like a DNC party official who works with a proprietary voter database,” he said via email. “It’s important to remember that the presence of a green padlock isn’t the only security control in your web browser; you need to also pay close attention to the actual host name of the system you think you’re logging into.”
It’s an important point given that malicious attempts against political targets and influence campaigns are continuing. Earlier this week, Microsoft disrupted a mirror-site effort allegedly mounted by the Fancy Bear APT group; and Facebook took down hundreds of pages that were part of a network of propaganda and misinformation sites allegedly backed by the Iranian government.