June 15, 2022 By Jonathan Reed 2 min read

On March 29, the FBI warned of an ongoing and widespread phishing campaign targeting U.S. election officials. Using false invoice inquiries and breached email accounts, attackers have attempted to steal officials’ login credentials in at least nine states since October 2021.

“If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems,” the FBI said in a Private Industry Notification.

Invoice-themed phishing scam

On October 5, 2021, unidentified threat actors sent phishing emails targeting U.S. election officials and representatives of the National Association of Secretaries of State (NASS). These emails came from at least two separate email addresses. Attached to the emails was a file titled INVOICE INQUIRY.PDF. The malicious files sent the email recipients to a credential-harvesting website. One of the phishing email addresses was found to be a compromised U.S. government official’s email account.

Similar incidents occurred on October 18 and 19 using email addresses supposedly from private U.S. businesses. These attacks targeted county election employees and election officials. The malicious emails contained Microsoft Word documents fashioned to look like invoices. These attacks also directed targeted users to visit credential-harvesting sites.

The incidents occurred all within a short time span with the same phishing tactic. So, it’s likely the attacks came from the same source.

Attack damage unclear

The FBI’s alert did not state if any systems or data were compromised due to these incidents. However, the FBI does predict these types of attacks may continue or increase in the lead-up to the 2022 midterm elections.

The NASS is the oldest non-partisan professional organization of public officials in the United States, composed of the secretaries of state of U.S. states and territories. The NASS addresses issues of interest to secretaries of state, such as voter turnout, voting procedures, business services, securities and government archives.

In an email, Maria Benson, director of communication for NASS, stated, “NASS staff did not click on the email attachment in question and therefore did not experience an incident.”

Meanwhile, there has been no report whether other election official offices had credentials stolen or faced breaches.

FBI anti-phishing recommendations

In the alert, the FBI addressed how to reduce the risk of compromise. Some ways to prevent phishing attacks include:

  • Train employees how to spot phishing, social engineering and spoofing attempts
  • Advise employees to be cautious when providing sensitive information such as login credentials electronically or over the phone, particularly if unsolicited or odd
  • Create protocols to alert IT departments about suspicious emails
  • Mark external emails with a banner denoting the email is from an external source
  • Add spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
  • Advise training personnel not to open email attachments from unknown senders
  • Require all accounts to have strong, unique passwords. Do not reuse passwords or store password information on systems an adversary can access.
  • Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks and accounts that access critical systems
  • In the event of system or network compromise, implement mandatory passphrase changes for all affected accounts
  • Keep all operating systems and software up to date with timely patching.

Currently, there have been no reports of U.S. election officials facing a breach because of this emerging attack strategy. As we near the midterm elections, security officers will certainly be on high alert.

More from News

Poland spending $760 million on cybersecurity after attack

3 min read - Visitors to the Polish Press Agency (PAP) website on May 31 at 2 p.m. Polish time were met with an unusual message. Instead of the typical daily news, the state-run newspaper had supposedly published a story announcing that a partial mobilization, which means calling up specific people to serve in the armed forces, was ordered by Polish Prime Minister Donald Tusk beginning on July 1, 2024. Deputy Prime Minister Krzysztof Gawkowski refuted the claim on X (formerly Twitter). His post…

New ransomware over browser threat targets uploaded files

3 min read - We all have a mental checklist of things not to do while online: click on unknown links, use public networks and randomly download files sent over email. In the past, most ransomware was deployed on your network or computer when you downloaded a file that contained malware. But now it’s time to add a new item to our high-risk activity checklist: use caution when uploading files. What is ransomware over browsers? Researchers at Florida International University worked with Google to…

Exploring the 2024 Worldwide Managed Detection and Response Vendor Assessment

3 min read - Research firm IDC recently released its 2024 Worldwide Managed Detection and Response Vendor Assessment, which both highlights leaders in the market and examines the evolution of MDR as a critical component of IT security infrastructure. Here are the key takeaways. The current state of MDR According to the assessment, “the MDR market has evolved extensively over the past couple of years. This should be seen as a positive movement as MDR providers have had to evolve to meet the growing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today