Election Officials Warned by the FBI of Credential Phishing Campaigns
Mitigations to Reduce the Risk of Compromise.
On Tuesday, the Federal Bureau of Investigation (FBI) issued a warning to the US election and other state and local government officials about a widespread phishing operation that has been attempting to steal their credentials since at least October 2021.
If successful, this activity may provide cyber actors with sustained, undetected access to a victim’s systems. As of October 2021, US election officials in at least nine states received invoice-themed phishing emails containing links to websites intended to steal login credentials.
Considering that the phishing emails have similar attachment files, use compromised email addresses, and were sent at the same time, this is most probably a coordinated, ongoing attempt to attack US election officials.
According to the FBI, the threat actors employed a variety of techniques to lead their victims to phishing landing pages that were intended to fool them into entering their logins.
On October 18, 2021, cybercriminals sent phishing emails to county election employees using two email addresses that appeared to be from US enterprises.
The FBI identified three waves of phishing emails aimed at election officials, each of which used different methods to hoodwink them into revealing their credentials:
- On 5 October 2021, unidentified cyber actors targeted US election officials in at least nine states, and representatives of the National Association of Secretaries of State, with phishing emails. These emails originated from at least two email addresses with the same attachment titled, “INVOICE INQUIRY.PDF,” which redirected users to a credential-harvesting website. One of the email addresses sending the phishing emails was a compromised US government official’s email account.
- On 18 October 2021, cyber actors used two email addresses, purportedly from US businesses, to send phishing emails to county election employees. Both emails contained Microsoft Word document attachments regarding invoices, which redirected users to unidentified online credential harvesting websites.
- On 19 October 2021, cyber actors used an email address, purportedly from a US business, to send a phishing email containing fake invoices to an election official. The emails contained an attached Microsoft Word document titled, “Current Invoice and Payments for report.”
The FBI believes that cybercriminals will continue or increase their phishing attempts targeting US election officials in the run-up to the 2022 US midterm elections.
Proactive monitoring of election infrastructure (including official email accounts), as well as communication about this sort of activity between the FBI and its state, local, territorial, and tribal partners, will:
- provide opportunities to mitigate instances of credential harvesting and compromise;
- identify potential targets and information sought by threat actors;
- identify attackers.
To lower the risk of compromise, the US federal law enforcement agency advises network defenders to implement the following mitigations.
- Train employees on how to recognize phishing, spear-phishing, social engineering, and spoofing attempts. Advise staff to be wary when providing confidential material – such as login credentials – digitally or over the phone, especially if it is unsolicited or unusual. Employees should, if possible, verify requests for sensitive data through secondary channels.
- Create official procedures for employees to send dubious emails to IT departments for verification.
- Mark external emails with a banner indicating that they are from an external source to help users identify spoofed emails.
- Enable strong spam filters to prevent phishing emails from reaching end users.
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- Advise training personnel not to open e-mail attachments from senders they do not recognize.
- Require all accounts with password logins (e.g., service accounts, admin accounts, and domain admin accounts) to have strong, unique passphrases.
- If there is proof of system or network compromise, implement mandatory passphrase changes for all impacted accounts.
- Keep all operating systems and software up to date. Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
How Can Heimdal™ Help?
Heimdal Security has developed two email security software aimed against both simple and sophisticated email threats: Heimdal Email Security, which detects and blocks malware, spam emails, malicious URLs, and phishing attacks, and Heimdal Email Fraud Prevention, a revolutionary email protection system against employee impersonation, fraud attempts – and BEC, in general.
For example, you may want to consider Heimdal Security’s Heimdal Email Fraud Prevention, the ultimate email protection against financial email fraud, C-level executive impersonation, phishing, insider threat attacks, and complex email malware. How does it work? By using over 125 vectors of analysis and being fully supported by threat intelligence, it detects phraseology changes, performs IBAN/Account number scanning, identifies modified attachments, malicious links, and Man-in-the-Email attacks. Furthermore, it integrates with O365 and any mail filtering solutions and includes live monitoring and alerting 24/7 by our specialists.