On March 29, the FBI warned of an ongoing and widespread phishing campaign targeting U.S. election officials. Using false invoice inquiries and breached email accounts, attackers have attempted to steal officials’ login credentials in at least nine states since October 2021.

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a Private Industry Notification.

Invoice-Themed Phishing Scam

On October 5, 2021, unidentified threat actors sent phishing emails targeting U.S. election officials and representatives of the National Association of Secretaries of State (NASS). These emails came from at least two separate email addresses. Attached to the emails was a file titled INVOICE INQUIRY.PDF. The malicious files sent the email recipients to a credential-harvesting website. One of the phishing email addresses was found to be a compromised U.S. government official’s email account.

Similar incidents occurred on October 18 and 19 using email addresses supposedly from private U.S. businesses. These attacks targeted county election employees and election officials. The malicious emails contained Microsoft Word documents fashioned to look like invoices. These attacks also directed targeted users to visit credential-harvesting sites.

The incidents occurred all within a short time span with the same phishing tactic. So, it’s likely the attacks came from the same source.

Attack Damage Unclear

The FBI’s alert did not state if any systems or data were compromised due to these incidents. However, the FBI does predict these types of attacks may continue or increase in the lead-up to the 2022 midterm elections.

The NASS is the oldest non-partisan professional organization of public officials in the United States, composed of the secretaries of state of U.S. states and territories. The NASS addresses issues of interest to secretaries of state, such as voter turnout, voting procedures, business services, securities and government archives.

In an email, Maria Benson, director of communication for NASS, stated, “NASS staff did not click on the email attachment in question and therefore did not experience an incident.”

Meanwhile, there has been no report whether other election official offices had credentials stolen or faced breaches.

FBI Anti-Phishing Recommendations

In the alert, the FBI addressed how to reduce the risk of compromise. Some ways to prevent phishing attacks include:

  • Train employees how to spot phishing, social engineering and spoofing attempts
  • Advise employees to be cautious when providing sensitive information such as login credentials electronically or over the phone, particularly if unsolicited or odd
  • Create protocols to alert IT departments about suspicious emails
  • Mark external emails with a banner denoting the email is from an external source
  • Add spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Advise training personnel not to open email attachments from unknown senders
  • Require all accounts to have strong, unique passwords. Do not reuse passwords or store password information on systems an adversary can access.
  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks and accounts that access critical systems
  • In the event of system or network compromise, implement mandatory passphrase changes for all affected accounts
  • Keep all operating systems and software up to date with timely patching.

Currently, there have been no reports of U.S. election officials facing a breach because of this emerging attack strategy. As we near the midterm elections, security officers will certainly be on high alert.

More from News

The White House on Quantum Encryption and IoT Labels

A recent White House Fact Sheet outlined the current and future U.S. cybersecurity priorities. While most of the topics covered were in line with expectations, others drew more attention. The emphasis on critical infrastructure protection is clearly a top national priority. However, the plan is to create a labeling system for IoT devices, identifying the ones with the highest cybersecurity standards. Few expected that news. The topic of quantum-resistant encryption reveals that such concerns may become a reality sooner than…

Malware-as-a-Service Flaunts Its Tally of Users and Victims

As time passes, the security landscape keeps getting stranger and scarier. How long did the “not if, but when” mentality towards cyberattacks last — a few years, maybe? Now, security pros think in terms of how often will their organization be attacked and at what cost. Or they consider how the difference between legitimate Software-as-a-Service (SaaS) brands and Malware-as-a-Service (MaaS) gangs keeps getting blurrier. MaaS operators provide web-based services, slick UX, tiered subscriptions, newsletters and Telegram channels that keep users…

New Survey Shows Burnout May Lead to Attrition

For many organizations and the cybersecurity industry as a whole, improving retention and reducing the skills gap is a top priority. Mimecast’s The State of Ransomware Readiness 2022: Reducing the Personal and Business Cost points to another growing concern — burnout that leads to attrition. Without skilled employees, organizations cannot protect their data and infrastructure from increasing cybersecurity attacks. According to Mimecast’s report, 77% of cybersecurity leaders say the number of cyberattacks against their company has increased or stayed the…

Alleged FBI Database Breach Exposes Agents and InfraGard

Recently the feds suffered a big hack, not once, but twice. First, the FBI-run InfraGard program suffered a breach. InfraGard aims to strengthen partnerships with the private sector to share information about cyber and physical threats. That organization experienced a major breach in early December, according to a KrebsOnSecurity report. Allegedly, the InfraGard database — containing contact information of over 80,000 members — appeared up for sale on a cyber crime forum. Also, the hackers have reportedly been communicating with…