FBI investigating threatening emails sent to Democratic voters in apparent bid to stoke election fears

The messages appeared to target Democrats using data from digital databases known as “voter files,” some of which are commercially available. They told recipients the Proud Boys were “in possession of all your information” and instructed voters to change their party registration and cast their ballots for Trump.

By suggesting the group had gained access to privileged data, and also possibly penetrated electronic systems to detect how people were voting, the emails seemed designed to create the appearance of an election breach, said cybersecurity researchers. Such a move may serve to undermine confidence in the integrity of the democratic process without posing a genuine risk to the election, these researchers said.

“You will vote for Trump on Election Day or we will come after you,” warned the emails, which by Tuesday night were said to have reached voters in as many as four states, three of them hotly contested swing in the coming presidential election.

The domain enlisted for the misleading operation, officialproudboys.com, was recently dropped by a hosting company that uses Google Cloud services, according to Google Cloud spokesman Ted Ladd. Without a secure host, the domain stood vulnerable to exploitation, cybersecurity experts said. Voters using Comcast, Yahoo and Gmail accounts were affected

In addition to Florida and Alaska, a voter in Pennsylvania told The Washington Post she had received one such email, though she suspected it may have been linked to her previous registration in Alaska. The Pennsylvania attorney general’s office had not received reports about the messages, a spokesman, Mark Shade, said Wednesday.

Kristen Clarke, president and executive director of the national Lawyers’ Committee for Civil Rights Under Law, said her organization had received at least one report that a similar email had reached a voter in Arizona. The Arizona secretary of state’s office was looking into the matter, said a spokeswoman, Sophia Solis.

Enrique Tarrio, the chairman of the Proud Boys and the Florida state director of Latinos for Trump, denied involvement, saying the group operates two sites, and was increasingly migrating away from the domain used in the email campaign.

“Two weeks ago I believe we had Google Cloud services drop us from their platform, so then we initiated a url transfer, which is still in process,” he said in an interview. “We kind of just never used it.”

The technical data embedded in the emails do not make clear who was behind the messages. But metadata gathered from dozens of the emails pointed to the use of servers in Saudi Arabia, Estonia, Singapore and the United Arab Emirates, according to numerous analysts.

“It’s clearly organized and very much planned,” said Rita Katz, executive director of SITE Intelligence Group. “What they did was totally covering their steps. It’s going to be very difficult to find out who’s doing this.”

Democrats in Alachua County, in north-central Florida, began receiving the messages on Tuesday morning, according to interviews with several recipients. So, too, did voters in Alaska, said Casey Steinau, chair of the Alaska Democratic Party. Her communications director, Jeanne Devon, said Tuesday night the FBI “is now involved in the investigation.” A spokeswoman for the bureau’s Anchorage field office did not respond to a request for comment.

“This is absolutely something to be concerned about,” said John Scott-Railton, a senior researcher at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs and Public Policy. “This is what election interference looks like.” He said he knew of a threatening email reaching a voter in Pennsylvania.

Federal authorities, elections officials and experts in disinformation have issued dire warnings not just about voter intimidation but also about deceptive online campaigns playing up fears of intimidation tactics.

Christopher C. Krebs, director of Homeland Security’s Cybersecurity and Infrastructure Security Agency, wrote in a tweet that his office was aware of the emails, noting, “Ballot secrecy is guaranteed by law in all states.”

“These emails are meant to intimidate and undermine American voters’ confidence in our elections,” he added.

Some cybersecurity experts were already pointing to the possibility of foreign involvement.

“We’re still reviewing it, but it wouldn’t be unheard of for a foreign actor to impersonate political figures or organizations,” said John Hultquist, senior director of analysis for Mandiant Threat Intelligence. “It could be a form of voter intimidation or it could be meant to inject discord into an already fragile process.”

Tarrio, determined to beat back the perception of involvement by the Proud Boys, said he had spoken to an FBI agent about the episode. Amanda Videll, a spokeswoman for the bureau in Jacksonville, Fla., declined to comment.

A spokesman for the Alachua County Sheriff’s Office said Wednesday that local authorities had turned the investigation over to the FBI.

“We believe them to be fraudulent,” the spokesman, Art Forgey, said of the emails.

Bennett Ragan, campaign manager for a Democratic State House candidate in Gainseville, Fla., said he received two of the threatening messages to his Gmail account and knows of at least 10 other similar emails that had reached friends or associates. He said the home address cited in the emails he received could have come only from a Florida voters’ roll from 2018 because he has moved several times in recent years.

Ragan said he believed the purpose was to intimidate Democratic voters in a swing state with hotly contested races up and down the ballot on Nov. 3.

“When you have people who have a voter roll and then send off emails, they will make a big splash. They will scare people. That is without a doubt the intent,” he said.

The hosting service previously carrying the Proud Boys domain cancelled the registration after Google Cloud notified the customer that a non-profit group had raised concerns about the controversial organization, said Ladd, the Google Cloud spokesman.

Following the action from the hosting service, the domain appears to have been left unsecured, allowing anyone on the Internet to take control of it and use it to send out the menacing messages, said Trevor Davis, CEO of Counteraction, a Washington-based digital intelligence firm.

The lapse, which began on Oct. 8, “likely made them vulnerable to this kind of hijacking,” Davis said. “Bad actors are constantly scanning the Internet for opportunities. Given the public profile of the Proud Boys and the likelihood that whoever’s sending these emails has access to a voter file, this appears to be opportunism.”

The Proud Boys rose to national prominence last month during the first presidential debate between Trump and his Democratic rival, Joe Biden, when the president passed up an invitation by moderator Chris Wallace, of Fox News, to denounce white supremacists. When Biden suggested that Trump denounce the Proud Boys, he said, “stand back and stand by” — a comment that was widely celebrated on social media by the group as a call to action.

Memes circulated online with the words integrated into the Proud Boys logo. One doctored image showed Trump wearing one of the Proud Boys’ signature polo shirts. Another online poster used the moment to advertise t-shirts and hoodies bearing the group’s logo and the words, “PROUD BOYS STANDING BY.”

The group’s leaders say they do not support white supremacy, but they had a contingent at 2017’s notorious Unite the Right rally in Charlottesville, Va. The Proud Boys also have been frequent participants in the reopen protests demonstrating against coronavirus lockdowns and, more recently, the protests in Portland, Ore. Facebook has banned the group as a hate group, and the Southern Poverty Law Center classifies them as a hate group and says its leaders “regularly spout white nationalist memes and maintain affiliations with known extremists.”

Online analysts traced the pathway of at least one of the emails through a server in Saudi Arabia. The Internet Protocol address associated with metadata in the email had previously been reported, pointing to its likely use in scam or phishing operations, said Cindy Otis, a former CIA analyst and vice president of analysis for Alethea Group, an organization combating online threats and misinformation. Vice, citing a similar email purportedly from the Proud Boys and threatening Florida voters, found another possible path through a server in Estonia.

View original article here Source