Online political donation sites have become a prime target for cybercrooks looking to take advantage of US voters who throw money at their favorite candidates, a new DataDome report warned on Tuesday.
Recent news reports show that both presidential campaigns have been raking in millions of dollars in party donations in 2024.
Even more so since President Joe Biden officially dropped out of the race last month and endorsed his current VP Kamala Harris as the official 2024 Democratic presidential nominee.
The ‘once Biden-now Harris’ campaign raked in a whopping $50 million on the Sunday after Biden’s exit from the race, in what the New York Times called “the single biggest day for online Democratic contributions since the 2020 election.”
Also in July, the Associated Press had reported the Trump campaign was able to haul in more than $331 million in donations for that quarter.
Now, a new threat report is warning that many of these political donation sites that are collecting for the upcoming November elections often lack basic security measures, making them ripe for cyberattacks and other malicious schemes.
Not only are threat actors attracted to these sites because of the “large volumes of transactions being processed,” but also because of the types of information that users input into the platform, DataDome security researchers say.
Cybercriminals know that a user’s personal and financial information provided during an online donation transaction – including names, addresses, and credit card details – can easily be used to carry out identity theft and/or financial fraud.
“Trust in the integrity and security of donation platforms is vital for encouraging continued election participation and contributions,” Antoine Vastel, VP of Research at Datadome said.
Testing the security of online donations sites
The global cybersecurity firm said it tested three major US political donation platforms to assess their security controls against “automated and fraudulent activities.”
The test found that all three of the legitimate, yet unnamed platforms “lacked critical login security measures to protect against bot traffic and credential stuffing attacks.”
Credential stuffing attacks are when an attacker uses login data harvested from previous cyberattacks hoping victims’ compromised login information will match up and allow access to the current targeted website.
Researchers further discovered that all three platforms were using Google's free 'reCAPTCHA v2' human challenge widget on their registration page – widely known to be insecure and “easily bypassed by sophisticated bots.”
And finally, the login endpoints for all three sites were found entirely unprotected, presenting a significant opportunity for account takeover, the team said.
Even more disappointing, two of the sites were found completely absent of any effective security measures – leaving users completely defenseless to attackers looking to gain unauthorized access and scrape sensitive information from their accounts, such as payment details and credit card numbers, researchers said.
On a positive note, one of the sites had implemented two-factor authentication (2FA), an essential security layer, but certainly not enough to fully protect users.
How to donate securely
DataDome points out that the breach of a donation site could have “severe consequences” not only for the victim, but also for the political campaign or candidate it represents by damaging public trust.
“A breach or data leak could undermine confidence, leading to reduced donor engagement and potential financial losses for the political campaigns,” the DataDome report noted.
Before donating to any favorite candidate or political party, users should review basic security measures to prevent falling victim to such attacks.
DataDome suggestions for donor best practices include:
- Using a unique and strong password generated with a password manager.
- Not reusing the same email/password across different websites/applications.
DataDome also urges donation sites to employ enhanced authentication on their platforms to protect users, including two-factor authentication for all critical user interactions, such as logins and transactions.
Additionally, the company said donation platforms should employ the use of advanced bot protection and CAPTCHA systems that can detect attacks from automated bot or Captcha farms as well as cyber bots that can mimic human-like behavior.
Your email address will not be published. Required fields are markedmarked