Feds Warn of Phishing Attacks on US Elections

US Election Cyber Attacks Traced to Russia, China, Iran

The US Department of Homeland security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) issued a bulletin about increasing cyber attacks targeting entities connected to the US Presidential elections. CISA released CISA Insights: Actions to Counter Email-Based Attacks on Elections-Related Entities. Threat actors are targeting political parties, campaign workers and volunteers, think tanks, civic organizations, any associated individual, and of course the candidates themselves.

“Recent reporting shows 32 percent of breaches involve phishing attacks, and 78 percent of cyber-espionage incidents are enabled by phishing,” says CISA. The election hackers use phishing emails as their primary tactic. These malicious emails attempt to trick the victim into acting before scrutinizing the email and without thinking before they act.

Yesterday, Microsoft Corp (MSFT.O) warned Presidential candidate Joe Biden’s campaign advisory firm, SKDKnickerbocker, that the firm had been the target of two months of phishing attacks.

Phishing Emails Tempt Victims into Taking Any of These Actions:

1. Click on a link that leads to a credential harvesting web page or pop-up window
2. Open an email attachment that automatically downloads malware to the victim’s computer
3. Click on a link that simply verifies that the attacker has your valid email account

Once a threat after has a valid email account, they work to harvest the victim’s password and gain access. My email account is compromised it can be used to reset passwords to any other account that’s connected to it. for example if a hacker is able to get into your work email account and you have all your bank statements sent to that email account, the hacker issue a password reset and gain access to your bank account.

Types of Password Attacks

Knowing that many people reuse the same username and password combinations across multiple online accounts, hackers attempt to break into emails or corporate accounts reusing passwords found on the dark web.

• During brute force password attacks, threat actors use computer scripts to attempt username and password combinations against an online account.  already have stolen a username / email address used by an individual. In addition, they have harvested other passwords the target uses on other websites.
• Password spray attacks are a variant of brute force attacks. The threat actor uses a list of common passwords and automated computer scripts to attempt thousands of password combinations to break into an online account. People often use weak passwords that are easy to remember, like “password123” or their favorite sports team. That’s why it’s important to use a unique password for every online account. The script may try a set of credentials and move to the next user’s account to avoid detection.
• In a credential stuffing attack, the threat actor uses list of stolen emails, usernames, and passwords to break into one web application. This attack is also automated. The goal is to get lucky and compromise an account that has privileged or admin access.

CISA recommends using a password manager app for all employees and requiring its use for all online accounts. Password managers are apps that automatically generate secure and random passwords. Password Keeper is a quality app that works across most devices and browsers.

Since it can be difficult to remember a unique password for each online account, password manager apps store them for you and sync them across all of your devices. When you need to login online, the app verifies that the website is legitimate and enters the password for you.

Password managers won’t work on a website that is associated with malware, spoofed domains, or other suspicious web pages.

How to Secure Email Accounts

1. Require two-factor authentication (2FA) or multi-factor authentication (MFA) for all email accounts
2. Use an authenticator app (like Google authenticator) for MFA if the email account supports it
3. Only use SMS text and email-based MFA f there is no other option
4. If your email service does not offer 2FA or MFA, change providers to email service with better security. We use AWeber
5. Use biometric login to protect computers and phones. If your device does not support fingerprint or facial scan login, consider upgrading to a device that has biometric login.
6. Block email beyond a certain size and emails with attachments that exceed a certain size
7. Deploy an email filter solution that blocks emails based on headers and malicious content

• Consider implementing warning banners to alert users about emails (particularly those with links and attachments) that originate from outside the organization

A password manager will help users create, store, and remember unique and hard-to-guess passwords for every online account.

CISA Recommends all organizations protect online accounts from phishing attacks by:

Register your organization for a password breach monitoring service. A security monitoring service can warn an organization or individuals of identity theft data breaches and password compromises.

• Use provider-offered protections, if utilizing cloud email
• Secure user accounts on high-value services
• Implement email authentication
• Secure email gateway capabilities

Hackers use login credentials stolen in previous data breaches. Personal information taken from eCommerce websites loyalty programs, bank accounts, credit files, and other retailers is sold on the dark web. Hackers use this information to break into more valuable accounts. A monitoring service can alert you anytime your username or email shows up on the dark web for sale or is involved in a data breach.