At The Identity Organisation, we're here to help!

    Or drop us a mail!

    Your privacy is important to us, and we want to communicate with you in a way which has your consent and which is in line with UK Law on data protection. As a result of a change in UK law on 25th May 2018, by providing us with your personal details you consent to us processing your data in line with current GDPR requirements.

    Here is where you can review our Privacy & GDPR Statement

    To remove consent at any time, please e-mail info@tidorg.com with the word "unsubscribe" as the subject.

    +44 (0) 1628 308038 info@tidorg.com

    No Politician Too Small: School Board Candidates Targeted By Phishing and BEC Scams

    Cybercriminals are broadening their targets to include even local political candidates, as an escalating series of phishing attacks was recently directed at school board candidates in Colorado.

    Andrew Brandt, Principal Researcher from Sophos, ran a school board seat himself, and he investigated these phishing and BEC attacks targeting the fellow candidates he ran against.

    In the Boulder County, Colorado school board election Andrew ran in, nine other candidates were vying for four open seats. At least three candidates (including Andrew) were targeted with a BEC campaign using social engineering tactics. The attackers had clearly done their homework, crafting a social graph of the relationships to others connected to the school district.

    While federal election years tend to draw more attention from threat actors, this investigation shows that even lower-profile “off-year” local elections can attract threat actors. Just last December, the US, UK, and others warned that Russian state hackers were targeting political candidates with phishing.

    Though no direct evidence links this Colorado campaign to Russian actors, some Russian services were involved. The initial BEC emails invoked the names of other candidates but originated from Russian webmail providers. The messages tried to trick recipients into purchasing gift cards, a common BEC tactic.

    The attacks then escalated to customized spear phishing emails spoofing a document signing service. The attachment contained Andrew’s campaign logo and tried capturing his email password through a phishing attack vector that covertly exfiltrated any entered credentials.

    Further research found over 2,000 similar phishing emails between September and November 2023, targeting nearly 800 organizations beyond just political campaigns. From municipalities to healthcare providers, the attachments were tailored with each target’s website logos pulled in dynamically.

    The phishing pages accepted three password attempts before redirecting users, maximizing potential for credential theft. Any entered passwords were exfiltrated through Telegram’s API to the attackers’ channels.

    The lengths attackers will go through illustrates how no candidate is too small or local to potentially be targeted. Staying alert and taking basic security steps can go a long way in protecting your campaign. And with 2024’s high-stakes US federal elections coming, further attacks on candidates, campaigns and elections infrastructure will be anticipated. 

    KnowBe4 empowers your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

    Sophos has the full story

    Free Phishing Security Test

    Would your users fall for convincing phishing attacks? Take the first step now and find out before bad actors do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

    Here’s how it works:

    • Immediately start your test for up to 100 users (no need to talk to anyone)
    • Select from 20+ languages and customize the phishing test template based on your environment
    • Choose the landing page your users see after they click
    • Show users which red flags they missed, or a 404 page
    • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
    • See how your organization compares to others in your industry
    Go Phishing Now!

    PS: Don’t like to click on redirected buttons? Cut & Paste this link in your browser: https://info.knowbe4.com/phishing-security-test-partner?partnerid=001a000001lWEoJAAW

    Sign Up to the TIO Intel Alerts!

    Back To Top