June 15, 2022 By Jonathan Reed 2 min read

On March 29, the FBI warned of an ongoing and widespread phishing campaign targeting U.S. election officials. Using false invoice inquiries and breached email accounts, attackers have attempted to steal officials’ login credentials in at least nine states since October 2021.

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a Private Industry Notification.

Invoice-themed phishing scam

On October 5, 2021, unidentified threat actors sent phishing emails targeting U.S. election officials and representatives of the National Association of Secretaries of State (NASS). These emails came from at least two separate email addresses. Attached to the emails was a file titled INVOICE INQUIRY.PDF. The malicious files sent the email recipients to a credential-harvesting website. One of the phishing email addresses was found to be a compromised U.S. government official’s email account.

Similar incidents occurred on October 18 and 19 using email addresses supposedly from private U.S. businesses. These attacks targeted county election employees and election officials. The malicious emails contained Microsoft Word documents fashioned to look like invoices. These attacks also directed targeted users to visit credential-harvesting sites.

The incidents occurred all within a short time span with the same phishing tactic. So, it’s likely the attacks came from the same source.

Attack damage unclear

The FBI’s alert did not state if any systems or data were compromised due to these incidents. However, the FBI does predict these types of attacks may continue or increase in the lead-up to the 2022 midterm elections.

The NASS is the oldest non-partisan professional organization of public officials in the United States, composed of the secretaries of state of U.S. states and territories. The NASS addresses issues of interest to secretaries of state, such as voter turnout, voting procedures, business services, securities and government archives.

In an email, Maria Benson, director of communication for NASS, stated, “NASS staff did not click on the email attachment in question and therefore did not experience an incident.”

Meanwhile, there has been no report whether other election official offices had credentials stolen or faced breaches.

FBI anti-phishing recommendations

In the alert, the FBI addressed how to reduce the risk of compromise. Some ways to prevent phishing attacks include:

  • Train employees how to spot phishing, social engineering and spoofing attempts
  • Advise employees to be cautious when providing sensitive information such as login credentials electronically or over the phone, particularly if unsolicited or odd
  • Create protocols to alert IT departments about suspicious emails
  • Mark external emails with a banner denoting the email is from an external source
  • Add spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Advise training personnel not to open email attachments from unknown senders
  • Require all accounts to have strong, unique passwords. Do not reuse passwords or store password information on systems an adversary can access.
  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks and accounts that access critical systems
  • In the event of system or network compromise, implement mandatory passphrase changes for all affected accounts
  • Keep all operating systems and software up to date with timely patching.

Currently, there have been no reports of U.S. election officials facing a breach because of this emerging attack strategy. As we near the midterm elections, security officers will certainly be on high alert.

More from News

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Ransomware attack on Rhode Island health system exposes data of hundreds of thousands

3 min read - Rhode Island is grappling with the fallout of a significant ransomware attack that has compromised the personal information of hundreds of thousands of residents enrolled in the state’s health and social services programs. Officials confirmed the attack on the RIBridges system—the state’s central platform for benefits like Medicaid and SNAP—after hackers infiltrated the system on December 5, planting malicious software and threatening to release sensitive data unless a ransom is paid. Governor Dan McKee, addressing the media, called the attack…

FBI, CISA issue warning for cross Apple-Android texting

3 min read - CISA and the FBI recently released a joint statement that the People's Republic of China (PRC) is targeting commercial telecommunications infrastructure as part of a significant cyber espionage campaign. As a result, the agencies released a joint guide, Enhanced Visibility and Hardening Guidance for Communications Infrastructure, with best practices organizations and agencies should adopt to protect against this espionage threat. According to the statement, PRC-affiliated actors compromised networks at multiple telecommunication companies. They stole customer call records data as well…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today