October 15, 2018
-
Anomali Threat Research
,

Estimated 35 Million Voter Records For Sale on Popular Hacking Forum

<p>Anomali Labs researchers in close partnership with <a href="https://intel471.com/" target="_blank">Intel 471</a>, a leading cybercrime intelligence provider, have uncovered a widespread unauthorized information disclosure of US voter registration databases. To be clear, this voter information is made generally available to the public for legitimate uses. Anomali and Intel 471 researchers discovered dark web communications offering a large quantity of voter databases for sale. The databases include valuable personally identifiable information and voting history. The disclosure reportedly affects 19 states and includes 23 million records for just three of the 19 states. No record counts were provided for the remaining 16 states, but do include prices for each state. We estimate that the entire contents of the disclosure could exceed 35 million records. Researchers have reviewed a sample of the database records and determined the data to be valid with a high degree of confidence.</p><p>Of note, the seller indicates they receive weekly updates of voter registration data across the states and that they receive information via contacts within the state governments. Certain states require the seller to personally travel to locations in-state to receive the updated voter information. This suggests the information disclosure is not necessarily a technical compromise but rather a likely targeted campaign by a threat actor redistributing possibly legitimately obtained voter data for malicious purposes on a cybercrime forum.</p><p>To our knowledge, this represents the first reference on the criminal underground of actors selling or distributing lists of 2018 voter registration data, including US voters’ personally identifiable information and voting history. With the November 2018 midterm elections only four weeks away, the availability and currency of the voter records, if combined with other breached data, could be used by malicious actors to disrupt the electoral process or pursue large-scale identity theft.</p><h2>Sales Advertisement of 2018 Voter Data</h2><p>In one forum post a known illicit vendor on October 5, 2018 advertised for sale previously undisclosed tens of millions of 2018 voter registration records for at least 19 US states on a popular English-language speaking hacking forum. The voter records affect citizens of:</p><ul><li>Georgia</li><li>Idaho</li><li>Iowa</li><li>Kansas</li><li>Kentucky</li><li>Louisiana</li><li>Minnesota</li><li>Mississippi</li><li>Montana</li><li>New Mexico</li><li>Oregon</li><li>South Carolina</li><li>South Dakota</li><li>Tennessee</li><li>Texas</li><li>Utah</li><li>West Virginia</li><li>Wisconsin</li><li>Wyoming</li></ul><p>Purportedly, these records contain voter data including full name, phone numbers, physical addresses, voting history, and other unspecified voting data. The sales price for each voter list ranges from $150 USD to $12,500 USD depending on the state. This pricing model could be related to the number of voter records per database listing and/or, to a lesser degree of confidence, to offset the original cost to the illicit vendor. Once purchased, the vendor claims to provide customers with regular updates at the start of each week.</p><p style="text-align: center;"><img alt="Illicit vendor advertising 19 US state voter lists" src="https://cdn.filestackcontent.com/FIJPFrNlTw6bsgFUbbg4"/><br/> <em>Illicit vendor advertising 19 US state voter lists on a popular English-language speaking hacker forum on October 5, 2018</em></p><p>Within hours of the initial sales advertisement, a separate high-profile actor organized a crowdfunding campaign to purchase each voter registration database. According to the actor, the purchased databases would be made available free of charge to all registered members of the hacker forum, with early access given to donors of the project. At the time of this report, the first of 19 available voter databases, Kansas, has been acquired and published.</p><p style="text-align: center;"><img alt="Publication of 2018 Kansas voter database" src="https://cdn.filestackcontent.com/h8lXJacwQGWJcp7gOb4a"/><br/> <em>Screenshot showing publication of 2018 Kansas voter database</em></p><p>A second crowdfunding project, voted by forum members to select the next state, is close to 20.7% of its funding goal. Oregon currently leads the voting for the second state to be published.</p><p style="text-align: center;"><img alt="2018 Oregon voter database" src="https://cdn.filestackcontent.com/hMaIl38TRn2q3ZeJO50b"/><br/> <em>Screenshot showing crowdfunding status for 2018 Oregon voter database</em></p><h2>Legitimate Use of Voter Registration Lists</h2><p>State voter registration lists can be obtained at varying costs established by each state. These lists can include that include registered voters and who has voted in specific elections. However, there are rules that govern which authorized persons, entities such as political campaigns, journalists, or academic researchers that may retrieve and use the data. <a href="https://www.techsafety.org/voter-registration-privacy/" target="_blank">Of note</a>, most states consider basic voter registration data, i.e., full name, address, email, party affiliation, etc., as public records. Several of these states offer an “opt-out” feature to prevent the public use of the individual voter information.</p><p>Generally speaking, voter lists are not permitted to be used for commercial purposes or allowed to be republished online. The discovery of 19 US state voter lists from 2018 on Deep and Dark Web forums and marketplaces illustrate the potential ease of unauthorized entities circumventing established state rules and procedures to obtain and profit from voter data. When these lists are combined with other breached data containing sensitive information, e.g., social security number and driver’s license, on underground forums it provides malicious actors with key data points for creating a target profile of the US electorate.</p><p>This type of information can facilitate criminal actions such as identity fraud or allow for false submissions of changes online to voter registrations, making some <a href="https://techscience.org/a/2017090601/" target="_blank">legitimate voters ineligible to cast ballots</a>. <a href="https://news.harvard.edu/gazette/story/2017/09/study-points-to-potential-vulnerability-in-online-voter-registration-systems/" target="_blank">In a voter identity theft scenario</a>, fraudsters can cause disruptions to the electoral process through physical address changes, deletion of voter registrations, or requests for absentee ballots on behalf of the legitimate voter.</p><h2>Conclusion</h2><p>The previously unseen disclosure of 2018 voter data highlights the continued interest amongst the criminal underground for obtaining and monetizing voter registration information. Given the illicit vendor claims of weekly updates of voter records and their high reputation on the hacker forum, we assess with moderate confidence that he or she may have persistent database access and/or contact with government officials from each state.</p><p>These types of unauthorized information disclosures increasing the threat of possible disruptive attacks against the U.S. electoral process such as voter identity fraud and voter suppression.</p><p>For more election coverage, check out our findings on email spoofing, “<a href="https://www.anomali.com/resources/whitepapers/email-spoofing-a-threat-to-the-2018-us-midterm-elections" target="_blank">Email Spoofing a Threat to the 2018 US Midterm Elections</a>” and an assessment of US election security we did with CSO, “<a href="https://www.anomali.com/resources/whitepapers/cso-online-the-changing-landscape-of-us-election-security" target="_blank">The Changing Landscape of US Election Security.</a>”</p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
__wf_reserved_heredar