On March 29, the FBI warned of an ongoing and widespread phishing campaign targeting U.S. election officials. Using false invoice inquiries and breached email accounts, attackers have attempted to steal officials’ login credentials in at least nine states since October 2021.

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a Private Industry Notification.

Invoice-themed phishing scam

On October 5, 2021, unidentified threat actors sent phishing emails targeting U.S. election officials and representatives of the National Association of Secretaries of State (NASS). These emails came from at least two separate email addresses. Attached to the emails was a file titled INVOICE INQUIRY.PDF. The malicious files sent the email recipients to a credential-harvesting website. One of the phishing email addresses was found to be a compromised U.S. government official’s email account.

Similar incidents occurred on October 18 and 19 using email addresses supposedly from private U.S. businesses. These attacks targeted county election employees and election officials. The malicious emails contained Microsoft Word documents fashioned to look like invoices. These attacks also directed targeted users to visit credential-harvesting sites.

The incidents occurred all within a short time span with the same phishing tactic. So, it’s likely the attacks came from the same source.

Attack damage unclear

The FBI’s alert did not state if any systems or data were compromised due to these incidents. However, the FBI does predict these types of attacks may continue or increase in the lead-up to the 2022 midterm elections.

The NASS is the oldest non-partisan professional organization of public officials in the United States, composed of the secretaries of state of U.S. states and territories. The NASS addresses issues of interest to secretaries of state, such as voter turnout, voting procedures, business services, securities and government archives.

In an email, Maria Benson, director of communication for NASS, stated, “NASS staff did not click on the email attachment in question and therefore did not experience an incident.”

Meanwhile, there has been no report whether other election official offices had credentials stolen or faced breaches.

FBI anti-phishing recommendations

In the alert, the FBI addressed how to reduce the risk of compromise. Some ways to prevent phishing attacks include:

• Train employees how to spot phishing, social engineering and spoofing attempts
• Advise employees to be cautious when providing sensitive information such as login credentials electronically or over the phone, particularly if unsolicited or odd
• Create protocols to alert IT departments about suspicious emails
• Mark external emails with a banner denoting the email is from an external source
• Add spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
• Advise training personnel not to open email attachments from unknown senders
• Require all accounts to have strong, unique passwords. Do not reuse passwords or store password information on systems an adversary can access.
• Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks and accounts that access critical systems
• In the event of system or network compromise, implement mandatory passphrase changes for all affected accounts
• Keep all operating systems and software up to date with timely patching.

Currently, there have been no reports of U.S. election officials facing a breach because of this emerging attack strategy. As we near the midterm elections, security officers will certainly be on high alert.