No Politician Too Small: School Board Candidates Targeted By Phishing and BEC Scams

Election DisinformationCybercriminals are broadening their targets to include even local political candidates, as an escalating series of phishing attacks was recently directed at school board candidates in Colorado.

Andrew Brandt, Principal Researcher from Sophos, ran a school board seat himself, and he investigated these phishing and BEC attacks targeting the fellow candidates he ran against.

In the Boulder County, Colorado school board election Andrew ran in, nine other candidates were vying for four open seats. At least three candidates (including Andrew) were targeted with a BEC campaign using social engineering tactics. The attackers had clearly done their homework, crafting a social graph of the relationships to others connected to the school district.

While federal election years tend to draw more attention from threat actors, this investigation shows that even lower-profile "off-year" local elections can attract threat actors. Just last December, the US, UK, and others warned that Russian state hackers were targeting political candidates with phishing.

Though no direct evidence links this Colorado campaign to Russian actors, some Russian services were involved. The initial BEC emails invoked the names of other candidates but originated from Russian webmail providers. The messages tried to trick recipients into purchasing gift cards, a common BEC tactic.

The attacks then escalated to customized spear phishing emails spoofing a document signing service. The attachment contained Andrew's campaign logo and tried capturing his email password through a phishing attack vector that covertly exfiltrated any entered credentials.

Further research found over 2,000 similar phishing emails between September and November 2023, targeting nearly 800 organizations beyond just political campaigns. From municipalities to healthcare providers, the attachments were tailored with each target's website logos pulled in dynamically.

The phishing pages accepted three password attempts before redirecting users, maximizing potential for credential theft. Any entered passwords were exfiltrated through Telegram's API to the attackers' channels.

The lengths attackers will go through illustrates how no candidate is too small or local to potentially be targeted. Staying alert and taking basic security steps can go a long way in protecting your campaign. And with 2024's high-stakes US federal elections coming, further attacks on candidates, campaigns and elections infrastructure will be anticipated. 

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Sophos has the full story

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews