Hackers have been targeting Trump supporters with a range of phishing campaigns and malware in an attempt to exploit the political loyalties of Trump’s supporters and access their financial information.
The news comes from Area1 Security whose team of researchers was able to discover a new phishing campaign that was “using updated tactics by leveraging the hype surrounding President Trump’s decision to halt U.S. funding for the World Health Organization (WHO).”
“LIke a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanisms as messaging about timely and highly publicized, hot-button issues in politics.”
The team of researchers say that hackers were targeting Trump supporters directly with relatively sophisticated phishing campaigns that were purportedly sent from a Political Action Committee (PAC) email domain.
Area1 Security writes that “in a ruse to drop this dangerous banking trojan, the malicious messages take the form of a typical Political Action Committee (PAC) email, eliciting support for presidential incumbent Donald Trump in the upcoming 2020 election.”
The team says that they first discovered the hackers targeting Trump supporters with phishing and malware campaigns on August 21st, which “contains all the hallmarks of the resurgence of Emotet,” in reference to the Emotet malware strain known to target online banking and financial services.
Researchers say that the emails would “bait” recipients with the subject lines of “Fwd:” and “Re:” combined with extremely politicised content to trick Trump supporters into both opening the email, and opening of a bright red “Stand With Trump” button.
The team at Area1 Security says that “the attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message… every link works and leads to benign web pages of the impersonate PAC.”
They say that the Emotet malware is downloaded onto a victim’s computer once the attached Microsoft Word document is opened.
“LIke a Wolf in sheep’s clothing, the attacker cleverly disguises their Emotet delivery mechanisms as messaging about timely and highly publicized, hot-button issues in politics,” the team continued to explain. They point to one example of an email sent with the subject line: “Fwd: Breaking: President Trump suspends funding to WHO,” which promoted recipients to “Stand With Trump,” which the sender used a legitimate domain name belonging to the political group that was compromised to build trust in the eyes of the recipient.
According to a report from InfoSecurity Magazine’s Sarah Coble, “while the sender addresses used to spread the WHO-themed phishing messages varied, all were observed to have come from a legitimate account that had been compromised by the attacker.”
“This tactic allowed the attacker to successfully pass email authentication protocols such as DMARC,” adding that “using hijacked legitimate email addresses would also have made it very difficult for victims to grasp the fact that they were being duped by a cyber criminal,” Coble concludes.