If you purchase via links on our site, we may receive affiliate commissions.

Phishing campaigns could turn elections, analyst warns

Updated on: 13 October 2022

Damien Black
Senior Journalist

US government banner urging citizens to vote in 2022 — Image by Shutterstock

As midterm election fever grips the US, threat actors are targeting time-pressed party workers with phishing campaigns aimed at potentially spoiling ballots, infosecurity firm Trellix reports.

Revealing its findings, Trellix said they raised fears of a repeat of the John Podesta imbroglio of 2016, during which the Democrat campaign chief was spear-phished, resulting in thousands of politically damaging emails being sent to WikiLeaks.

Now Trellix has learned of similar attempts to hoodwink election workers in the states of Pennsylvania and Arizona, which held early primary elections in May and August, respectively.

In the first of these, malicious emails sent to party workers in the key battleground state rose from 1,168 in the last three months of 2021 to 4,460 in the first quarter of this year - before rising again to 7,555 in the thirteen weeks to the end of June.

Trellix pointed out that much of this activity focused on county-level state workers, which it says have the least sophisticated cyber-defenses but are paradoxically “the most critical in actual electoral engagement with voters.”

Noting rising cases of threats and harassment to election campaigners in recent years, Trellix added: “Our findings suggest the continuing effort to educate frontline election workers on phishing and other cyber threats in the digital realm could be as important as security measures required to protect them in the physical realm.”

Arizona also suffered spikes in social engineering aimed at election workers, with such attacks rising to 2,246 for the third quarter of this year - from just 1,101 during the previous three months, and 617 between January and March.

“The ‘primary surge’ reminds us election security is very much a state and local issue,” said Trellix. “Furthermore, states and localities do not operate on an equal cybersecurity footing. Some will be more susceptible to attacks than others, and many will continue to require the help of the federal government to [...] educate local election employees in cyber hygiene.”

Earlier this month, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) warned about the potential attempts of foreign actors to spread disinformation in the lead-up to and after the 2022 midterm elections.

Screenshot of fake email sent to election workers — Sample of a password harvesting message that seeks to exploit a campaign worker's anxieties about letting their side down

A recurring nightmare?

One of the phishing campaigns detected by Trellix was reminiscent of the Podesta affair, during which the campaign boss and his IT team believed that a fake request to re-enter his credentials into his Google account was legitimate.

“It uses a fraudulent password expiration alert to lure election workers to a bogus administrative webpage, where they are prompted to enter their current username and password login credentials,” said Trellix.

A phishing email informs the election worker that their password is about to expire, causing them to lose the network access required to complete urgent campaign-related tasks. Panicked into clicking on a phishing link, victims are taken to a landing page where they are given an option to choose their password – provided they enter their old one along with their account username.

“At this point, the attacker has possession of the user’s login credentials and can use them to access organizational assets across the election administrator’s networks,” said Trellix. “The attacker could access election process documents, voter records, colleague contact lists, administrative tools, and a variety of other documents and forms.”

Such data could be used by a threat actor to send voters misleading information in the run-up to elections, hoping to potentially sway the outcome, it added.

“The attacker could send voters incorrect election process information to mislead them into invalidating their votes or create confusion in the lead-up to election day that undermines their confidence in the process,” said Trellix.

Threat actors could also use details on the pilfered contact lists to target people with higher-level access to “critical election and voting tabulation processes.”

It added the data obtained through a successful phishing campaign could also be used to facilitate a ransomware attack on critical infrastructure on the eve of elections.

“Finally, the attacker could sell the stolen credentials on an underground forum to nation-state actors or other malicious parties, such as ransomware operators capable of locking up key systems just days before the election,” said Trellix.

Screenshot sample of fake email sent to campaign workers — Another fake email, which plays on the same fears in an attempt to steal credentials and so gain access to vital voter data

Trusted threads abused

Another campaign observed by the cybersecurity firm entailed targeting county election workers by inserting social engineering email messages into a pre-existing thread dating back to 2018 that had either been compromised or simply forged.

Trellix said this work bore the hallmarks of QBot, Hancitor, and Emotet, all used in previous spear-phishing attacks employing compromised or fabricated email threads from trusted sources.

“These actors have found success in using such trusted email correspondence to deliver malicious documents or download links,” it said, adding that payloads could be delivered in the form of seemingly innocuous file types such as .zip, .pdf, or .docx.

In this case, “the attacker sends a Microsoft OneDrive link, from which the election worker can download the completed absentee ballot applications.” The download is “poisoned” with malware that gives the threat actor access to other systems across the hapless employee’s network.

“Ultimately, this phishing scheme plays on the election worker’s professional and moral commitment to help a trusted contractor struggling to register people to vote,” added Trellix. “It relies on the election officials’ willingness to perhaps step outside an established submission process and click on the attacker’s poisonous link to access the voter applications.”

Trellix said it could not determine who was responsible for the social engineering campaigns highlighted in its report but added that its investigation into “election-related cyber activity” is ongoing.

It is urging local election officials to avail themselves of cybersecurity tools being provided by the federal government, including anti-phishing training resources from CISA, the US national body overseeing cybersecurity.

Trellix cited a recent statement issued jointly by CISA and the FBI, which said: “Be wary of emails or phone calls from unfamiliar addresses or phone numbers that make suspicious claims about the elections process, or of social media posts that appear to spread inconsistent information about election-related incidents or results.”

It added: “Do not communicate with unsolicited email senders, open attachments from unknown individuals, or provide personal information via email without confirming the requestor's identity. Be aware that many emails requesting your personal information often appear to be legitimate.”