Derek B. Johnson
An intense presidential election and a grueling week of vote counting has left many Americans distracted from their work, anxious for the latest news and less vigilant about other threats. That’s precisely what many cyber criminals are counting on.
Research this week from Malwarebytes Labs has stumbled upon a new phishing campaign from the operators behind QBot, a notorious banking trojan. This latest tactic is actively exploiting Americans’ desire for information about vote counts and their anxiety about possible dirty tricks in the electoral process.
The campaign, which researchers began tracking early Wednesday morning as President Donald Trump and former Vice President Joe Biden were locked in a number of close races across different battleground states, leverages email lures with zip files or attachments with names like “Election Interference.”
Jérôme Segura, director of threat intelligence at Malwarebytes Labs, told SC Media in an interview that they don’t yet have a sense of how widespread these particular lures are yet. QBot generally targets North America but the broad “shotgun” approach of their infection strategy can take a winding and unpredictable path, since every new infected device is a staging ground for the botnet’s next set of victims.
QBot uses a “thread reply” strategy with its phishing lures, essentially infecting a victim’s device and email and sending replies to existing email chains between the victim and others, hoping to infect as many of them in turn. This means the lures are not coming from strangers or new emails that arrive in your inbox completely out of the blue, but rather as a reply midway through an existing email conversation you’re already having with friends, family or another party.
Latching onto current events for new phishing themes is not a new tactic for cybercriminals, but by using trusted senders and existing email threads, QBot operators are able to capitalize even more on an election-related lure themes.
“The number of people who are going to be opening those files is going to be much, much higher than just a generic campaign of malspam, said Segura. “Even though it’s a massive distribution, a kind of shotgun approach, at the same time using the email threading plus the election [theme], I think definitely increases their infection ratio.”
According to Segura, new infections serve multiple objectives for QBot operators. In addition to growing the botnet and providing fresh contacts and pathways for new infections, they scrape browsers and files for passwords or other credentials. If a newly infected machine is connected to a larger network, say a company, that information can be sold or leveraged for a more targeted attack in the future.
“I think it was a successful wave and we’re keeping an eye on what the next evolution will be,” depending on how the results play out, said Segura.
It’s a reminder for businesses and IT security teams that their employees are in a vulnerable and less focused state of mind, and criminal groups are actively seeking to exploit that distraction. Elections are often stressful, but record turnout from voters and intense passions about the respective candidates mean workers could be even more distracted than usual this week.
A recent survey by the American Psychological Association found that 68 percent of Americans say the election has been a significant source of stress in their lives, significantly higher than the number who said the same about the 2016 election (52 percent). Razor thin margins in the remaining states and a longer vote counting process due to various state rules around counting mail-in ballots have likely only exacerbated that stress and increased the likelihood that victims fall for the trap.