‘Compromised credentials’ most likely vector in Trump re-election site defacement

John Leyden

28 October 2020 at 14:50 UTC

Updated: 28 October 2020 at 15:07 UTC

Make Websites Safe Again

'Compromised credentials' most likely vector in Trump re-election site defacement

Donald Trump’s official re-election campaign website was briefly defaced on Tuesday (October 27) in an embarrassing rather than serious lapse of security.

As-yet-unknown attackers left a message on donaldjtrump.com claiming they had compromising information on the US president, suggesting a conspiracy theory that “trump-gov is involved in the origin of the coronavirus” as well as supposedly being in cahoots with “foreign actors manipulating the 2020 elections”.

Visitors to the site were encouraged to vote on whether or not this supposed compromising material would be released by sending funds to one of two Monero cryptocurrency wallet IDs, each publicised through the defacement.

Which wallet received the most money would ostensibly determine the outcome of the vote.

Of course, the highly visible defacement on such a high-profile website didn’t stay up for long, so the exercise failed to rake in significant funds.

Gone in a flash

The defacement message – which parodied notices typically posted when the FBI seizes control of web services operated by cybercriminals – was pulled within minutes and the site quickly restored with approved content, encouragements to make campaign donations, or buy Republican Party merchandise.

A post on Twitter by the Trump re-election campaign’s director of communications, Tim Murtaugh, stated that “there was no exposure of sensitive data” because none is stored on the site.

Catch up on the latest election security news

The Trump campaign was “working with law enforcement authorities to investigate the source of the attack”, he added.

Donald Trump’s campaign website is hosted using ExpressionEngine, a content management system, and served through Cloudflare’s content delivery network.

Donald Trump's re-election campaign website was briefly defaced on October 27Donald Trump’s re-election campaign website was briefly defaced on October 27

Wordfence analysis

In the wake of the short-lived attack, researchers from web security firm Wordfence offered some analysis of how the hack might have been carried out.

Since the…