When election campaigns look like phishing – Krebs on Security

Several media reports this week warned the American public about a new phishing scam that sends text messages telling recipients that they are not yet registered to vote. Upon closer inspection, it turns out that the messages were sent by a California-based political consulting firm as part of a well-intentioned but potentially counterproductive voter mobilization campaign that bore all the hallmarks of a phishing campaign.

On 27 August, Channel 4’s local partner station WDIV in Detroit warned of a new wave of text messages that allegedly could prevent registered voters from casting their ballots. The article did not explain how or why the scam might prevent eligible voters from casting their ballots, but it showed one of the related text messages that linked to the website www.all-vote.com.

“We have registered you as ineligible to vote in our records,” the unsolicited text message said. “Check your registration status and register in 2 minutes.”

Similar warnings came from an ABC station in Arizona and from an NBC affiliate in Pennsylvania, where election officials just issued a warning to look out for fraudulent messages from all-vote.com. Some of those interviewed who received the messages said they thought it was a scam because they knew full well that they was registered to vote in their state. WDIV even interviewed a seventh-grader from Canada who said he also received the text message saying he was not registered to vote.

Someone trying to find out if all-vote.com is legitimate might first visit the main URL (instead of simply clicking on the link in the SMS) to learn more about the organization. But visiting all-vote.com takes you directly to a sign-up page for an online service called bl.ink. DomainTools.com finds that all-vote.com was registered on July 10, 2024. Red flag #1.

The information requested comes from people who visited votewin.org through the SMS campaign.

In another version of this SMS campaign, recipients were asked to verify their voter status on a website called www.votewin.orgwhich, according to DomainTools, was registered on July 9, 2024. The votewin.org website provides little information about who runs this site, and the contact page leads to a generic contact form. Red flag #2.

Additionally, Votewin.org asks its visitors to provide their name, address, email address, date of birth and mobile phone number, while also pre-enabling options to opt the visitor in for further notifications. Major red flag #3.

Votewin.org’s terms of service referred to a California-based voter participation platform called VoteAmerica LLC. The same voter registration query form promoted in the text messages is available by clicking the “Check Your Registration Status” link on voteamerica.org.

VoteAmerica Founder Debra Cleaver KrebsOnSecurity, the agency responsible for the SMS campaigns telling people they were not registered, said Movement laboratoriesa political consulting firm in San Francisco.

Cleaver said her office has received several inquiries about the messages, which violate a central tenet of election advertising: one should never tell the recipient their voter status.

“This is one of the worst practices,” Cleaver said. “You never tell anyone what's in your voter record, because voter records are unreliable and often out of date.”

Reachable by email, Founder of Movement Labs Yoni Landau said the SMS campaigns targeted “underrepresented groups in the constituency, young people, people moving, low-income households and the like who are not registered in our databases, with the intention of helping them register to vote.”

Landau said that filling out the form on Votewin.org simply verifies that the visitor is registered to vote in their state and then attempts to help them register if they are not.

“We understand that many people are confused by the messages – we tested hundreds of message variants and found that these had the greatest impact on the likelihood of someone registering,” he said. “I am deeply sorry to anyone who received the message in error and is registered to vote, and we are now reviewing our content to see if there are variants that are less safe but still just as effective at generating new legal registrations.”

Cleaver said Movement Labs' SMS campaign may have been incompetent but not malicious.

“When you're mobilizing voters, it's not enough to want to do good, you have to be good,” she said. “Ultimately, the end result of incompetence and malice is the same: more chaos, lower voter turnout and long-term damage to our democracy.”

To register to vote or update your voter registration, visit vote.gov and select your state or region.