Cybercriminals are broadening their targets to include even local political candidates, as an escalating series of phishing attacks was recently directed at school board candidates in Colorado.
Andrew Brandt, Principal Researcher from Sophos, ran a school board seat himself, and he investigated these phishing and BEC attacks targeting the fellow candidates he ran against.
In the Boulder County, Colorado school board election Andrew ran in, nine other candidates were vying for four open seats. At least three candidates (including Andrew) were targeted with a BEC campaign using social engineering tactics. The attackers had clearly done their homework, crafting a social graph of the relationships to others connected to the school district.
While federal election years tend to draw more attention from threat actors, this investigation shows that even lower-profile "off-year" local elections can attract threat actors. Just last December, the US, UK, and others warned that Russian state hackers were targeting political candidates with phishing.
Though no direct evidence links this Colorado campaign to Russian actors, some Russian services were involved. The initial BEC emails invoked the names of other candidates but originated from Russian webmail providers. The messages tried to trick recipients into purchasing gift cards, a common BEC tactic.
The attacks then escalated to customized spear phishing emails spoofing a document signing service. The attachment contained Andrew's campaign logo and tried capturing his email password through a phishing attack vector that covertly exfiltrated any entered credentials.
Further research found over 2,000 similar phishing emails between September and November 2023, targeting nearly 800 organizations beyond just political campaigns. From municipalities to healthcare providers, the attachments were tailored with each target's website logos pulled in dynamically.
The phishing pages accepted three password attempts before redirecting users, maximizing potential for credential theft. Any entered passwords were exfiltrated through Telegram's API to the attackers' channels.
The lengths attackers will go through illustrates how no candidate is too small or local to potentially be targeted. Staying alert and taking basic security steps can go a long way in protecting your campaign. And with 2024's high-stakes US federal elections coming, further attacks on candidates, campaigns and elections infrastructure will be anticipated.
KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Sophos has the full story.
Here's how it works:
