Election officials in at least nine states received emails with attachments that redirected to credential harvesting sites.
The FBI has issued a warning to state and local election officials to be on the lookout for invoice-themed phishing attacks.
Officials in at least nine states received emails containing links or attachments to purported invoices, but which harvested login credentials, a tactic that gives attackers sustained access to IT systems. The emails used similar attachments, were sent from compromised email addresses and were delivered in the same time frame, “suggesting a concerted effort to target U.S. election officials, the FBI said in its March 28 notification.
Examples of uncovered attacks include emails to election officials and representatives of the National Association of Secretaries of State that attached an INVOICE INQUIRY.PDF file that redirected users to a credential harvesting website. One of the sender emails was a compromised account of a government official. Emails purporting to be from businesses to county election officials contained Word attachments that also redirected users to credential harvesting sites.
The FBI urges IT security teams to ensure employees know how to identify social engineering and spoofing attempts and have been cautioned against providing login credentials without obtaining confirmation via a second channel, opening attachments from senders they don’t recognize.
IT staff can help mitigate the risk of compromise by requiring strong, unique passphrases, multifactor authentication and keeping software up to date. The use of a banner indicating email originating from an external source and strong spam filters will also help cut down on phishing attempts.
“The FBI judges cyber actors will likely continue or increase their targeting of US election officials with phishing campaigns in the lead-up to the 2022 US midterm elections,” the FBI states. “Proactive monitoring of election infrastructure (including official email accounts) and communication between FBI and its state, local, territorial, and tribal partners about this type of activity will provide opportunities to mitigate instances of credential harvesting and compromise, identify potential targets and information sought by threat actors, and identify threat actors.”