June 15, 2022 By Jonathan Reed 2 min read

On March 29, the FBI warned of an ongoing and widespread phishing campaign targeting U.S. election officials. Using false invoice inquiries and breached email accounts, attackers have attempted to steal officials’ login credentials in at least nine states since October 2021.

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a Private Industry Notification.

Invoice-themed phishing scam

On October 5, 2021, unidentified threat actors sent phishing emails targeting U.S. election officials and representatives of the National Association of Secretaries of State (NASS). These emails came from at least two separate email addresses. Attached to the emails was a file titled INVOICE INQUIRY.PDF. The malicious files sent the email recipients to a credential-harvesting website. One of the phishing email addresses was found to be a compromised U.S. government official’s email account.

Similar incidents occurred on October 18 and 19 using email addresses supposedly from private U.S. businesses. These attacks targeted county election employees and election officials. The malicious emails contained Microsoft Word documents fashioned to look like invoices. These attacks also directed targeted users to visit credential-harvesting sites.

The incidents occurred all within a short time span with the same phishing tactic. So, it’s likely the attacks came from the same source.

Attack damage unclear

The FBI’s alert did not state if any systems or data were compromised due to these incidents. However, the FBI does predict these types of attacks may continue or increase in the lead-up to the 2022 midterm elections.

The NASS is the oldest non-partisan professional organization of public officials in the United States, composed of the secretaries of state of U.S. states and territories. The NASS addresses issues of interest to secretaries of state, such as voter turnout, voting procedures, business services, securities and government archives.

In an email, Maria Benson, director of communication for NASS, stated, “NASS staff did not click on the email attachment in question and therefore did not experience an incident.”

Meanwhile, there has been no report whether other election official offices had credentials stolen or faced breaches.

FBI anti-phishing recommendations

In the alert, the FBI addressed how to reduce the risk of compromise. Some ways to prevent phishing attacks include:

  • Train employees how to spot phishing, social engineering and spoofing attempts
  • Advise employees to be cautious when providing sensitive information such as login credentials electronically or over the phone, particularly if unsolicited or odd
  • Create protocols to alert IT departments about suspicious emails
  • Mark external emails with a banner denoting the email is from an external source
  • Add spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Advise training personnel not to open email attachments from unknown senders
  • Require all accounts to have strong, unique passwords. Do not reuse passwords or store password information on systems an adversary can access.
  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks and accounts that access critical systems
  • In the event of system or network compromise, implement mandatory passphrase changes for all affected accounts
  • Keep all operating systems and software up to date with timely patching.

Currently, there have been no reports of U.S. election officials facing a breach because of this emerging attack strategy. As we near the midterm elections, security officers will certainly be on high alert.

More from News

CISA warns about credential access in FY23 risk & vulnerability assessment

3 min read - CISA released its Fiscal Year 2023 (FY23) Risk and Vulnerability Assessments (RVA) Analysis, providing a crucial look into the tactics and techniques threat actors employed to compromise critical infrastructure. The report is part of the agency’s ongoing effort to improve national cybersecurity through assessments of vulnerabilities in key sectors. Meanwhile, IBM’s X-Force Threat Intelligence Index 2024 has identified credential access as one of the most significant risks to organizations.Both reports shed light on the persistent and growing threat of credential…

CISA launches portal to simplify cyber incident reporting

2 min read - Information sharing just got more efficient. In August, the Cybersecurity and Infrastructure Security Agency (CISA) launched the CISA Services Portal. “The new CISA Services Portal improves the reporting process and offers more features for our voluntary reporters. We ask organizations reporting an incident to provide information on the impacted entity, contact information, description of the incident, technical indications and steps taken,” a CISA spokesperson said in an email statement. “Reported incidents enable CISA and our partners to help victims mitigate…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today