Fraud Management & Cybercrime , Fraud Risk Management , Social Engineering

Fraudsters Alter Election Phishing Scam

Scammers Now Attempting to Steal Banking and Driver's License Information
Fraudsters Alter Election Phishing Scam
Phishing email that spoofs the U.S. Election Assistance Commission (Source: Proofpoint)

Fraudsters operating an election-themed phishing campaign have tweaked their malicious landing pages to harvest more information, including banking credentials, account data and vehicle identification information, according to security firm Proofpoint.

See Also: The Dangerous Intersection Between OFAC And Ransomware

The original campaign, which used the lure of confirming voter registration status, contained a malicious link designed to harvest Social Security numbers, tax IDs and driver's license details (see: Fresh Wave of Phishing Emails Use Election as a Lure).

The updated campaign, which uses the same election-themed lure, now asks recipients to also provide the additional information. The campaign requests that the recipient hand over their banking data to automatically sign up to receive a "stimulus" check, according to the report.

The information collected within these updated malicious landing pages would enable a fraudster to assume someone's identity, take over their bank account and commandeer other assets connected to the email address they provide, according to Proofpoint's Threat Insight blog post.

"Actors are agile and opportunistic, and this site is an excellent example of how quickly they adjust, even if they don't always get the details right," the post notes.

Phishing Updates

The fraudsters continue to use the same message regarding voter registration status that’s not yet confirmed by the county clerk, but the phishing messages now have the U.S. Election Assistance Commission logo at the top and in the subject line. The message asks the recipient to confirm their voter registration by clicking on a link to supply more information.

The malicious link usually redirects victims to defunct landing pages hosted on compromised WordPress websites that are portrayed as government forms that users need to fill out, according to the post.

"The driver’s license and vehicle license number are out of place on voter registration or stimulus claim pages. Further, the branding at the top of the site isn't consistent, switching from the [Election Assistance Commission] logo to the U.S. government’s web logo on the second page of the form," according to the post.

Malicious landing page designed to harvest credentials and other personal data (Source: Proofpoint)

Proofpoint says hackers have sent messages through SendGrid, an email service provider, that display the sender's email address as ""

After all the personal information is harvested by the fraudsters, the victim is redirected to a legitimate voter registration page, according to the post.

"This phishing site is particularly interesting because it cycles through several themes within the same form - verification of voter information and claiming a 'stimulus' - and collects a variety of information that isn’t always congruent with those themes," the blog post says.

Other Campaigns

The updating of the election-themed phishing campaign is just the latest example of how fraudsters adjust their methods.

For example, within a few days of President Donald Trump testing positive for COVID-19, fraudsters began deploying phishing emails using the president's health as a lure, according to the security firms Proofpoint and KnowBe4 (see: Trump's COVID-19 Illness Sparks Phishing Campaigns).

Earlier in October, Proofpoint spotted thousands of malicious emails designed to spread Emotet malware that spoofs messages from the Democratic National Committee. And KnowBe4 discovered another phishing campaign that spoofed the U.S. Election Assistance Commission and was designed to harvest credentials.

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.