Spam With A Political Twist: Fraudsters Are Exploiting The Election Season
The US election is less than 70 days away and threat actors are busy crafting malicious spam that uses candidate names and political themes as social engineering tools to convince recipients to open their emails.
In our two-months monitoring of SEG Cloud and Spam Traps, we have noted more than 11,000 spam messages that mention the name or political parties of the candidates as part of their lure. As July passed, the amount of spam increased and eventually reached its peak.
Figure 1: Politics - Themed Spam Daily Count
Former President and Republican presidential candidate Donald Trump is the most used name in the subject lines of these spam mails – with 29%. He is followed by the Incumbent VP and Democratic candidate Kamala Harris with 5.7%. President Joe Biden was also a topic of these suspicious emails, but it has died down ever since his withdrawal from the presidential race.
These emails vary in content, from shady online shops advertising merchandise of candidates, stocks and cryptocurrency spam to phishing. Here are some of the top spam samples that we’ve observed so far.
Financial Spam
Trustwave SpiderLabs has observed numerous financial spam emails utilizing current political events and candidate names in their message body. However, the goal of these emails is not to promote any candidate, but to bait the reader into engaging with their scams involving stocks or crypto.
Our first example (below) discusses the digital dollar and how it will replace the current form of the US dollar. The context given for this digital dollar is the Biden administration signed an executive order, and several countries have stopped supporting USD. The sender also posits that this will cause financial ruin to US citizens. This message is using emotional manipulation by inciting fear in the reader.
Figure 2: Financial Spam Mentioning Joe Biden as Lure
After inflicting fear in the reader, the sender claims to know how to protect the reader’s savings and urges them to click on a link to read more. However, this is only a scam email.
We also verified what the stated Executive Order 14024 is, and this particular EO is entitled “Blocking Property with Respect To Specified Harmful Foreign Activities of the Government of the Russian Federation.” According to the Office of Foreign Assets Control (OFAC), this EO provides sanctions that may be imposed against entities furthering specified harmful foreign activities of the Russian Federation.
Phishing
The Republican presidential candidate, Donald Trump, has stated at previous campaign rallies that he is embracing cryptocurrency. Since then, numerous crypto scams disguising as Trump’s team or claiming to be affiliated with him have appeared.
This phishing email baits the recipient into using a fake token giveaway worth $2.5 million. They state that the meme cryptocoin, MAGA, has greatly increased in value following the supportive statements of the Republican candidate. As per checking with crypto trading sites, this coin does exist but is not tradable in CoinBase.
Figure 3: Phishing Email Using MAGA Coin as Lure
Several red flags are observed in this email. Despite the message being centered around US current events, the sender address bears a country code top level domain (ccTLD) of “ph” which stands for Philippines. Upon further inspection, this is a legitimate, but spoofed, email address of a resort company.
The embedded link leads to a phishing site disguised as a WalletConnect page.
Figure 4: Bogus Crypto Site
Victims are urged to log into their crypto wallet to obtain the giveaway. However, this is not affiliated to that service and this phishing page is hosted by Free Web Hosting.
Marketing Spam
Supporters often create merchandise of their chosen political candidate to show support and increase visibility for other voters.
This marketing spam uses candidates from both parties as lure to get the victim to click and visit their bogus online shop.
Figure 5: Marketing Spam Featuring Different Candidates
They create a product listing centered around a certain politician and send the link to multiple recipients. The first red flag in these emails is the usage of an email address that does not seem to correlate with the supposed brand. These emails were sent using different Gmail addresses. Another notable point is that despite having the same message body format, there is a difference in the domains of the supposed online shop featured in the “Shop Now” button.
Both embedded links in the samples are newborn domains created last July.
Conclusion
In summary, we are seeing a continuous stream of different types of spam exploiting this pivotal election. Trump is the most used name in the subject lines of these emails so far, followed by Harris then Biden. These candidates and their parties are used as a lure in a variety of malicious messages being sent to the voters’ inboxes. As the election day draws near, we are expecting an influx of these messages that will attempt to deceive voters and steal their information.
Cyber attackers will exploit emotions, spread misinformation, and employ social engineering to bait the readers into engaging with spam. We highly advise everyone to conduct the email best practices such as not clicking on suspicious links, not opening message attachments and scrutinizing every election-related email that you’ll receive.
This blog is part of Trustwave SpiderLabs’ ongoing investigation into the cyber threats facing the upcoming US election. Please see below for all our coverage: