US election workers hit by phishing and malware emails • The Register

Election workers in US battleground states have been hit by a barrage of phishing and malware-laden emails ahead of their primary and upcoming 2022 midterm elections.

That’s according to security researchers at Trellix, who said malicious emails sent to Arizona County election officials rose 78 percent between the first and second quarters of the year, from 617 to 1,101 ahead of the state’s May 2 primary. August. Those emails continued to soar, growing 104 percent to 2,246 messages through Q3 2022.

In Pennsylvania, Trellix said it detected 1,168 malicious emails targeting county election workers in the fourth quarter of 2021 and 4,460 in the first quarter of 2022 — a 282 percent increase. By the end of the second quarter of this year, the number had risen another 69 percent to 7,555.

Pennsylvania held its primary on May 17th.

It is believed that among election organizers, county-level staff who manage election infrastructure are “relatively the least experienced” when it comes to defending cybersecurity, necessitating a look at the threats and risks they face today, argued Team Trellix.

The security agency said it has not found any evidence of compromised electoral systems in any US state or county and has not yet attributed the phishing emails to a specific cybercrime gang or nation-state.

“Our investigation into cyber activity related to the 2022 election is ongoing and we will provide more information where possible,” said Trellix’s Patrick Flynn, Fred House and Rohan Shah on Wednesday.

However, the increase in cyber threats against county election officials has coincided with an increase in physical threats and harassment against state and county officials as the November midterm elections near.

“Our findings suggest that continued efforts to educate frontline election workers about phishing and other cyber threats in the digital realm may be just as important in 2022 and beyond as security measures needed to protect them in the physical realm ‘ wrote the trio of Trellix.

The phishing schemes had two objectives: to steal credentials from poll workers or to deliver malware that could allow access to other systems on the network.

ID crook

Let’s start with the credential theft phishes because as John Podesta can attest, falling victim to a phishing attack that compromises your email while in a key political role rarely ends well.

According to Trellix, rogues created and sent out fake password expiration alerts to trick campaign workers into clicking a malicious link that would take them to a website masquerading as an account management page. Once on the fake website, poll workers are asked to enter their work usernames and passwords, and then change their passwords if they wish.

The attacker thus has the credentials and can use them to access any election document or voter record, depending on a particular poll worker’s access levels.

“The attacker could send voters false information about the election process to trick them into voiding their votes or create confusion in the run-up to election day, undermining their confidence in the process,” the researchers warn.

The login name and passwords could also be used to “identify other officials through organizational contact lists and use them to target individuals who may have higher-level access to more critical election and voting processes.”

And if that’s too much trouble, they could still sell the stolen credentials on dark web forums – Russian, Chinese, and Iranian nation-state-backed gangs targeting US interim dates may want to bid on that information, if they don’t already have.

Zero Trust (in attached files)

A second phishing scam the security service observed used a trusted email thread — either a compromised message or a fake one — between an election worker and a government contractor tasked with distributing mail-in ballots.

Because the email appears to be from a trusted source, the poll worker is more likely to click a malicious link or download a malware-laden file. Or at least this is the intended result.

Fortunately, the fraudulent email was blocked after sensors detected a malicious Microsoft malware download, the security firm said.

“Ultimately, this phishing scheme plays on the poll worker’s professional and moral obligation to assist a trusted contractor struggling to register people to vote,” the Trellix team noted. “It relies on the willingness of election officials to perhaps step out of an established submission process and click on the attacker’s toxic link to access voter applications.”

FBI, CISA weighing

Trellix’s latest research comes just days after two joint alerts from the FBI and Homeland Security’s CISA warned of phishing emails targeting poll workers [PDF] and said foreign agents will likely attempt to spread disinformation leading up to and after the Midterms.

“As in previous election cycles, foreign actors continue to knowingly disseminate false narratives about election infrastructure to foster social discord and distrust in US democratic processes and institutions, and may include attempts to incite violence,” the Feds noted [PDF].

CISA also provided state and local election officials with a free toolkit aimed at improving their security posture and helping them educate their employees and volunteers on how to avoid becoming victims of phishing campaigns.

For his part, Trellix suggests that campaign workers – and pretty much everyone – should be on high alert when it comes to emails with “urgent calls to action” like password changes.

As we have seen with recent Octapus cybercrimes, these are particularly effective at stealing credentials and are rarely legitimate.

Also, check the sender’s email address and make sure that the email domain actually belongs to the sender’s organization. And as always, do not trust any files or links from unknown sources.

“The election worker should also be wary of sending out mysterious download or website links that are really unnecessary, since ready-made applications can be emailed or uploaded through the administrators’ established websites,” the researchers noted.

“Any attempt to suggest that workers step out of established processes to use a download link or go to a random website should be questioned.” ®