In advance of the U.S. midterm elections later this fall, the Federal Bureau of Investigation (FBI) is warning of a relatively new phishing scam that's targeting state and local government officials.
The campaign involves realistic-looking invoices sent as attachments. Once a user clicks through, they're brought to a website designed to harvest login credentials. The FBI doesn't state whether or not the attacks were successful but acknowledges that they could have a dire implication. If there wasn’t a way to monitor access to email accounts, it's possible the attacker could maintain sustained access to a highly sensitive email account without the owner's knowledge.
The FBI issued a warning about the campaign in a Private Industry Notification on Tuesday.
While the incidents the FBI described in the warning all took place in October 2021, it claims the campaign has the indicators of a coordinated, ongoing effort.
As one part of the campaign, a series of phishing emails were sent to election officials in nine states and representatives of the National Association of Secretaries of State. The emails came with an attachment, "INVOICE INQUIRY.PDF," that ultimately directed users to a credential-harvesting site.
Comprised of secretaries of state of U.S. states and territories, the National Association of Secretaries of State (NASS) is a ripe target, especially for nation-state hackers. Its members oversee presidential elections, have been in charge of fighting voting misinformation, and provided recommendations for post-election audits. It's not a huge surprise that bad actors, especially those who dream of disrupting democracy, may want to brute force their way into a NASS member’s email, to carry out espionage, and possibly sow further doubt.
NASS wasn’t the only group targeted.
In two other incidents, a day apart from each other in October, the FBI claims phishing emails were sent to county election employees and election officials with Word attachments that discussed invoices; one was titled “Current Invoice and Payments for report.” Once clicked through, the documents led users to an online credential harvesting website.
Because the attacks happened so close together and shared similar attachment files, the FBI called the phishing emails "a concerted effort to target US election officials."
Using "Invoice" as a phishing lure - either in an email's subject line or in an attachment - has long been a favorite technique of scammers.
The city of Fresno, California disclosed just a few weeks ago that it lost about $400,000 in 2020 after falling victim to a similar scam; a city staffer completed an electronic money transfer for the phisher not knowing the invoice the city received was fake.
To mitigate phishing attacks like this, the FBI is encouraging all organizations, not just those in state and local governments, to apply the following mitigations:
- Educate employees on how to identify phishing, spear-phishing, social engineering, and spoofing attempts.
- Create protocols for employees to send suspicious emails to IT departments for confirmation
- Mark external emails with a banner denoting the email is from an external source to assist users in detecting spoofed emails.
- Enable strong spam filters to prevent phishing emails from reaching end users. Filter emails containing executable files from reaching end users.
- Advise training personnel not to open e-mail attachments from senders they do not recognize
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passphrases.
- Require multi-factor authentication for all services to the extent possible, particularly for webmail, virtual private networks, and accounts that access critical systems.
- If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
- Keep all operating systems and software up to date.
While the tips aren't geared specifically for election officials, they do encompass a lot of best practices, not just around email security but around cybersecurity hygiene as well.
Maintaining a high level of skepticism when it comes to emails from unknown senders, especially when the email addresses come from suspicious-looking domains or contain attachments can help everyone deter phishing attempts and e-mail-based malware.