Fraudsters Alter Election Phishing ScamScammers Now Attempting to Steal Banking and Driver's License Information
Fraudsters operating an election-themed phishing campaign have tweaked their malicious landing pages to harvest more information, including banking credentials, account data and vehicle identification information, according to security firm Proofpoint.
The original campaign, which used the lure of confirming voter registration status, contained a malicious link designed to harvest Social Security numbers, tax IDs and driver's license details (see: Fresh Wave of Phishing Emails Use Election as a Lure).
The updated campaign, which uses the same election-themed lure, now asks recipients to also provide the additional information. The campaign requests that the recipient hand over their banking data to automatically sign up to receive a "stimulus" check, according to the report.
The information collected within these updated malicious landing pages would enable a fraudster to assume someone's identity, take over their bank account and commandeer other assets connected to the email address they provide, according to Proofpoint's Threat Insight blog post.
"Actors are agile and opportunistic, and this site is an excellent example of how quickly they adjust, even if they don't always get the details right," the post notes.
The fraudsters continue to use the same message regarding voter registration status that’s not yet confirmed by the county clerk, but the phishing messages now have the U.S. Election Assistance Commission logo at the top and in the subject line. The message asks the recipient to confirm their voter registration by clicking on a link to supply more information.
The malicious link usually redirects victims to defunct landing pages hosted on compromised WordPress websites that are portrayed as government forms that users need to fill out, according to the post.
"The driver’s license and vehicle license number are out of place on voter registration or stimulus claim pages. Further, the branding at the top of the site isn't consistent, switching from the [Election Assistance Commission] logo to the U.S. government’s web logo on the second page of the form," according to the post.
Proofpoint says hackers have sent messages through SendGrid, an email service provider, that display the sender's email address as "firstname.lastname@example.org."
After all the personal information is harvested by the fraudsters, the victim is redirected to a legitimate voter registration page, according to the post.
"This phishing site is particularly interesting because it cycles through several themes within the same form - verification of voter information and claiming a 'stimulus' - and collects a variety of information that isn’t always congruent with those themes," the blog post says.
The updating of the election-themed phishing campaign is just the latest example of how fraudsters adjust their methods.
For example, within a few days of President Donald Trump testing positive for COVID-19, fraudsters began deploying phishing emails using the president's health as a lure, according to the security firms Proofpoint and KnowBe4 (see: Trump's COVID-19 Illness Sparks Phishing Campaigns).
Earlier in October, Proofpoint spotted thousands of malicious emails designed to spread Emotet malware that spoofs messages from the Democratic National Committee. And KnowBe4 discovered another phishing campaign that spoofed the U.S. Election Assistance Commission and was designed to harvest credentials.