Phishing scams and malicious domains take center stage as the US election approaches
Phishing scams aimed at voters, malicious domain registrations impersonating candidates, and other threat activity designed to exploit unassuming victims take center stage as the US election approaches, according to Fortinet.
“As the 2024 US presidential election approaches, it’s critical to recognize and understand the cyberthreats that may impact the integrity and trustworthiness of the election process and the welfare of the participating citizens. Cyber adversaries, including state-sponsored actors and hacktivist groups, are increasingly active leading up to major events like elections, said Derek Manky, Chief Security Strategist and VP of Global Threat Intelligence at Fortinet.
“Remaining vigilant and identifying and analyzing potential cyberthreats and vulnerabilities is crucial for preparing and safeguarding against the lures and targeted cyberattacks that could take advantage of a heightened moment in time and even disrupt or influence electoral outcomes,” added Manky.
Threat actors are selling affordable phishing kits on the darknet designed to target voters and donors by impersonating the presidential candidates and their campaigns.
Malicious domain registrations on the rise
More than 1,000 new potentially malicious domains have also been registered since the beginning of 2024 that follow particular patterns and incorporate election-related content and candidates, suggesting that threat actors are leveraging the heightened interest surrounding the election to lure unsuspecting targets and potentially conduct malicious activities.
Billions of records from the US are for sale on darknet forums, including Social Security numbers (SSNs), personally identifiable information (PII), and credentials that could be used in misinformation campaigns and lead to fraudulent activity, phishing scams, and account takeover; approximately 3% of the posts on darknet forums involve databases related to business and government entities.
FortiGuard Labs researchers noted a 28% increase in ransomware attacks against the US government year-over-year based on observed leak sites.
Research team observed threat actors selling distinct phishing kits for $1,260 each, created to impersonate US presidential candidates. These kits are designed to harvest personal information, including names, addresses, and credit card (donation) details.
AWS and Cloudflare as top hosts for malicious domains
Since January 2024, researchers have also identified more than 1,000 newly registered domain names that incorporate election-related terms and references to prominent political figures. Fraudulent fundraising websites, including secure[.]actsblues[.]com, meant to imitate the legitimate site for ActBlue (secure[.]actblue[.]com), a nonprofit American fundraising platform and political action committee.
The top two most-used hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET. The reliance on major hosting platforms such as AWS and Cloudflare suggests that threat actors are leveraging these reputable services to enhance the legitimacy and resilience of their malicious domains.
A notable concentration of domains is associated with a limited number of IP addresses, indicating a centralized approach by threat actors to efficiently manage multiple malicious domains to execute large-scale cyber campaigns.
The US government is an increasingly attractive target
The analysis continues to show a significant number of diverse databases available on darknet forums targeting the US, including SSNs, usernames, email addresses, passwords, credit card data, date of birth, and other PII that could be used to challenge the integrity of the 2024 US election.
Over 1.3 billion rows of combo lists, which include usernames, email addresses, and passwords, signify a considerable risk for credential-stuffing attacks. In such attacks, cybercriminals use these stolen credentials to gain unauthorized access to accounts, making it a valid and substantial security concern.
The discovery of 300,000 rows of credit card data, which include CVV, name, card number, expiration date, and date of birth, highlights potential financial fraud risks targeting voters and election officials.
Over 2 billion rows of user databases on the darknet indicate a heightened exposure to identity theft and targeted phishing attacks.
10% of the posts on darknet forums are associated with SSN databases, which poses a significant threat by increasing the risk of personal data breaches.
Ransomware attacks targeting government agencies before an election can impact the electoral process and public trust in government institutions. Compared to 2023, researchers observed a 28% spike in ransomware attacks against the US government in 2024.
The darknet has become a hub for US-specific threats, where malicious actors trade sensitive information and can potentially develop strategies to exploit vulnerabilities. Approximately 3% of the posts on these forums involve databases related to business and government entities. These databases hold critical organizational data that is vulnerable to cyber exploits and are a prime target for threat actors as the elections come and go.