There seem to be three main types of election meddling making the rounds. These take the forms of phishing scams, disinformation scams, and direct meddling . Here is some information on each of these.
Election-themed Phishing Scams
All phishing scams need a victim’s attention. They get this by piggybacking their malware on recent events or news items. Currently, these seem to focus on COVID and the election. Therefore, election-themed emails will be targeting potential victims. They can be very convincing and will, in many instances, look quite legitimate. Here is one that was recently identified by Proofpoint.
There is, in fact, a Democrat website called, Take Action, that says all of the things in this email. That’s because the criminals copied sentences from the site to construct the phishing email. It’s a good way to avoid those troubling grammar errors that give away most scammers. The contact address is legitimate and will help the spam avoid email filters. So, if you’re an enthusiastic Democrat, you may be inspired to open the Word attachment. Doing this will, of course, release malware.
Cybersecurity firm, KnowBe4, found this email.
Just because you see a valid email address in the sender information, doesn’t mean this is the real sender. Just because you see a valid logo, doesn’t mean that it makes the email legitimate. As far as the link to a voter reconfirmation site is concerned, it goes to a page which duplicates an actual page on the ServiceArizona Voter Registration site. If the victim does not check the URL, they will give away personal information which includes their Social Security number and driver’s license number.
It should be noted that some of these politically-based emails will ask for donations in the name of a politician or political party. Again, they will lead you to a spoofed website that looks like a donation page. It seems that all Democrat donation pages look like this. The RNC sites aren’t that different.
It would be easy for hackers to emulate this donation system so be sure of the URL before you pledge money.
Disinformation Scams: Voter Registration Scams
Of course, even the identity scams listed above can use voter registration as a hook. However, true voter registration scams try to make people feel that they are actually registering when they are not. They may send a victim an actual registration form for a particular state. The twist comes when the victim is told to send this form to the wrong address. In so doing, two things can happen. First of all, the potential voter may go to the polls on election day only to find that they are not actually registered. Secondly, someone received a lot of personal information.
Interestingly, if these scams are being operated by well-organized hackers or U.S.-unfriendly countries, such fake registration scams will go mostly unnoticed except in local areas. Well-organized attackers will never waste their time engineering fake registration scams in districts with pre-decided outcomes. They will only interfere in areas that are considered ‘swing districts’ in which a small change in the number of registrations for a particular party could alter the outcome of an election. In a previous post, I showed how a nefarious actor could engineer a phishing attack on key Pennsylvania districts which could change the outcome of voting for the entire state.
Along these lines, another direct meddling technique is to tell potential voters that they can vote by email, text message, or phone. They may even be sent genuine looking ballots as email attachments. Keep in mind that voter registration records are public. For the most part, anyone can see your party affiliation, which makes targeting even more precise.
Microsoft just announced that it has disrupted the operation of the infamous Trickbot botnet which is used by malicious actors to distribute malware through a malware-as-a-service (MaaS) business model. Trickbot is, indeed, malicious, especially since it often teams up with Emotet, another botnet with a well-designed malware package. The Trickbot botnet is comprised of over a million devices, from computers to phones to IoT devices. Once it gains access to a device, Trickbot can simply lurk there until it is needed for an attack. Emotet can use this botnet and its own to begin its attacks. Emotet works like any other malware, except for the fact that it is far more sophisticated, often using spearphishing emails to start an assault on a network. For those interested in how these attacks evolve, here is a diagram.
According to Microsoft, they felt that Trickbot was getting ready to launch ransomware attacks which could take networks used to report election results offline at crucial times.
Earlier this month, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of DDoS attacks that could target the networks used to report election results. A DDoS (Distributed Denial of Service) attack knocks a network offline by overwhelming its servers with requests. Such an attack would slow down the receiving and reporting of election results. How could this hurt? It would call into question the validity of the results, especially if this was timed to coincide with fake stories or social media posts that follow a formula such as
Democrats/Republicans block the reporting of election results + (location).
According to one source, “it is expected that denial-of-service attacks will likely be used to disrupt polling results as the US will likely not converge in an instant and uncontested result.” In short, the losing side will now have ample reason to claim that the entire election result should be questioned. This is to say that the chances for a quick result are very low.
Trickbot is generally considered as Russian-based. If Russia is linked to election interference all sorts of accusations will fly, and that’s the way Russia likes it. Of course, government intelligence agencies are preparing to stop these attacks and, who knows, maybe they will and all will go well.
For their part, the attackers have to be careful not to show their hand until the last minute. DDoS attacks don’t usually last very long. The longest DDoS attack lasted for 329 hours or about 2 weeks, but that’s very unusual. Most attacks average 3 to 4 hours. Still, that’s enough time to cast doubt on results. At best, there could be conflicting results reported by alternative sources, but no one would be sure who to believe.
A ransomware attack would accomplish the same thing. The victims would be forced to pay a ransom to regain control of their networks. This could almost guarantee a quick payday for the attackers who, in the interim, would cast doubt on the election’s validity.
The U.S. intelligence agencies are putting out these warnings because they are more than certain they will occur. It now seems that only the degree of disruption is all that remains uncertain.