Aside from COVID-19 outbreaks, second waves and panic buying, a huge part of news coverage in 2020 has been focussed on the recent US Presidential Election. Whilst it is now official that Joe Biden received enough Electoral College votes to claim victory, President Trump is still launching legal action, claiming that the election was not legal and that a large number of early votes should not be counted. While President Trump was alleging that illegal voting activities were being carried out in certain States, hidden under the radar on the Dark Web, actual cybercrimes were taking place, which threatened to disrupt the election process.

Two weeks before Election Day, global cybersecurity company, Trustwave, reported that their “SpiderLab team discovered massive databases with detailed information about US voters and consumers offered for sale on several hacker forums”.

The hacker that Trustwave discovered, known as Greenmoon2019, was selling personally identifying information, including the voter registration data of 186 million citizens.  That huge figure made up almost the entire voting population in the US.  The information contained in the voter database was extremely valuable to the cybercrime community, as not only did it contain names and addresses, but it also showed the political party that each voter was aligned to.  This type of data could be used to carry out social engineering scams and spread misinformation to potentially impact the elections, particularly in swing states.

One interesting fact to note, is that in many US States, voter information is publicly available from Government websites. However, the data being sold on the dark web, also contained email addresses (something not publicly available). These details were likely obtained from various data breaches. Greenmoon2019 had cross-referenced illegally obtained data with publicly available information to create powerful databases with even more detailed information about US citizens and put them up for sale.

This data can be used for many types of scams such as targeting voters based on their voting history. With North Carolina being a swing state in the 2020 election, that type of threat is even more significant. Propaganda and misinformation campaigns could be used to help sway votes toward one party or another. In a quote given to NBC News by Vice President of security research at Trustwave, Ziv Mador said, “In the wrong hands, this voter and consumer data can easily be used for geotargeted disinformation campaigns over social media, email phishing and text and phone scams before, during and after the election, especially if results are contested.”

Naturally, the hackers were very grateful that all this personally identifying data was so readily available, as seen below.

At FraudWatch International, our Cyber Threat Intelligence (CTI) analysts were able to dig up more voter databases for sale on the dark web. There were lists for many US States, including data dumps of publicly available voter information as well as hacked databases.

One interesting thing to note is that even though we found voters databases for free on forums, a lot of them are also for sale on dark marketplaces for a nominal fee.

When this data was evaluated more closely, a large portion of it was found to be legitimate information. We were able to verify that names were real, and voters were from the places the spreadsheet said they were.

Figure 5: Database of Wisconsin 2020 Voters (Source: FraudWatch International) 

Absentee voter data was also up for sale, which hackers could use to wreak havoc by submitting duplicate or fake votes.

Even more troubling than the selling of voter databases, was a conversation that our CTI analysts discovered in a dark web forum.  It detailed zero-day exploits of an app that was likely to be used by some US States, to gather primary absentee votes at Primary Elections.  The hacker claimed that the exploits could be used to increase vote numbers by submitting duplicate or fake votes.  Another vulnerability was said to allow for actual votes to be changed without the real voter knowing.  This kind of manipulation could allow a political party to alter the results of the election.

All these findings demonstrate how vulnerable Americans are to targeted attacks by criminals and foreign threat actors. The mere fact that so many names, addresses, phone numbers, email addresses and voting histories were up for sale, in bulk, on the dark web shows how easily criminals can obtain data for malicious email campaigns.

It is also important to remember that after the elections, this data remains important for criminals, with only the approach varying at the time of the attack. Using Open-Source Intelligence (OSINT) tools, a hacker can identify the victim, their age and even their close relatives. This creates a wealth of new opportunities, where financial scams can begin to be executed. Because seniors are more vulnerable to digital crime, scammers can easily, through social engineering, manipulate an older person and convince them to provide financial data or even to transfer money to someone the victim believes is their family.