Open source software security

FEC Data Ripe for Mining

25 August 2011
The US Federal Election Commission (http://www.fec.gov) is a government body set up to, among other things, monitor campaign contributions. From a hacker or social engineer's perspective, the fact that the data collected is made public is sheer gold.

The US Federal Election Commission (http://www.fec.gov) is a government body set up to, among other things, monitor campaign contributions. From a hacker or social engineer's perspective, the fact that the data collected is made public is sheer gold. Campaign contributions over $200 must be recorded by law, including the name of the contributor, their employer, profession, city, state, and zip code of residence, along with the date of receipt and the recipient of the contribution. This material is indexed and can be easily searched by name, location, or even employer. The potential for abuse is staggeringly high.

One way in which to use this data is simply for information gathering. If an attacker wishes to conduct reconnaissance on an organization they merely have to search for contributors employed by that organization. The results not only reveal names of employees, along with cities and states of residence, but also political affiliation. This information can be used to compile a list of employees who have the financial capability and/or interest to support candidates for political office in significant amounts (think C-level executives). This data can be much more revealing than simple searching an online people directory or a professional networking website. The data might also provide significant insights to organizations that do not provide a public employee database. Even more telling is the fact that the data covers employees who could presumably afford to donate $200 or more to a political campaign, which might include layers of upper management.

This information can easily be mined for social engineering purposes. For instance, searching through all contributors for a specific employer, an attacker could find a target name and amount of contribution. Next the attacker can search a corporate database to find the target's company e-mail address. Next the attacker can craft a phishing e-mail to the target including information about the campaign contribution. For instance "Dear Mr. Victim, I am writing on behalf of Mike Huckabee for President 2008 Campaign. We wanted to take this opportunity to express our gratitude for your $2,300 contribution to Mr. Huckabee's campaign fund. In light of recent political events in Cleveland, OH (your home city) we need your continued support." The phishing e-mail includes many personal details that would serve to gain the reader's trust. Such an e-mail could include attachments infected with malware disguised as legitimate campaign material, links to phishing sites designed to harvest personal information, or even links to bogus contribution sites where victims could unwittingly make donations to the attacker rather than the bespoke political candidate or party.

The FEC website offers all of this data as downloadable comma delimited text files as well. This can easily be imported into a database for quick indexing, cross referencing and searching. The data includes a definition that encodes donation recipients but the donor names, employer names, and occupations of donors are easily legible.

Because this data includes city, state and zip code of residence, employer and job title, along with full name it is easy to cross reference to make interesting data comparisons. It might be possible to locate trust relationships geographically such as locating a target's neighbor. Similarly it is possible to locate professionals in a peer group, say, lawyers that practice in a particular city, in order to enhance a social engineering attack.

Although much of the data provided by the FEC is available, the format makes it particularly ripe for relationship mining. While contributors are supposed to be made aware of data collection practices prior to giving, it is plausible that most will remain unaware that such data will end up on the internet. Even if people have taken careful precautions to protect their identity on social networking sites and other online outlets, they may be overlooking their campaign contributions. Given the stellar efficacy of campaigns to raise money online in the last election, and the relatively low cap for tracking, it is reasonable to expect that that the data set offered by the FEC will only grow in the future.