Election misdirection: Scammers exploiting presidential race with malware, spam and bots

News by Bradley Barth

As Election Day approaches, researchers have detected a marked uptick in malicious cyber campaigns that seek to capitalize on the highly contentious 2016 race for president.

As Election Day approaches, researchers have detected a marked uptick in malicious campaigns. No, we're not talking about Donald Trump's and Hillary Clinton's latest attacks on each other, but rather cyber campaigns that seek to capitalise on the highly contentious 2016 race for president. 

In the last few days, prominent researchers have warned of spammers flooding people with election-themed emails, some of which deliver ransomware and other nasties. Experts have also issued reports on botnets influencing social media's coverage of the election campaign, as well as newly discovered methods for potentially hacking voting systems.

Symantec on Wednesday reported that from mid-September to mid-October it blocked nearly 8 million spam emails containing election-based content, subject lines or attachments. Over that period, the volume of election-themed spam steadily increased, with large spikes in activity on 27 September  (almost 500,000 blocked emails) and again on 10 October (just over 400,000), the day after the second presidential debate.

While some of these spam communications genuinely did concern the election, others simply used the topic as a lure to open the email. Making matters worse, there were “a smaller but significant number of emails with malicious attachments,” the company warned in its blog post. Malicious JavaScripts comprised 62 percent of these attachments, while generic trojans and the Dridex banking malware made up 15 percent apiece.

One spam message with a malware-laced .zip file tantalised its recipients with the subject line “Donald Trump's Secret Letter,” promising hidden Trump emails. Another purported to possess a video of Hillary Clinton meeting with an ISIS leader, but actually contained a Java file spiked with a malicious remote access trojan.

Meanwhile, researchers at Zscaler's ThreatLabZ came across a Spanish-language election-based spam campaign that employs ransomware to encrypt victims' local, removable and network-mapped drives.

The spam's subject line promises the reader the latest results from the 2016 presidential primaries, Zscaler reported in a blog post on Tuesday. Oddly, the sample shown in the post was dated 24 August, long after the primaries were already decided.

Attached to the email is a malicious Portable Executable file whose icon is disguised as an Adobe PDF document. Clicking on the attachment opens a decoy document that appears be a PDF containing election survey results. Once the malware fully encrypts the machine's files, it produces the ransom demand (1 bitcoin in the published sample) and instructions. 

The ransomware claims to be Cryptowall, but in reality it is a far less dangerous program, written in .NET and relying on symmetric encryption, which means “victims can get their files decrypted without paying the ransom, provided they keep a copy of the ransomware executable or the dropped key file,” Zscaler explained in its blog post.

“Apparently, the authors are taking advantage of the popularity of both the elections, to lure the victims, and the Cryptowall ransomware strain to scare the victims into paying,” said Deepen Desai, Zscaler's director of security research, in an email interview with SCMagazine.com.

Zscaler also encountered what appears to be a work-in-progress ransomware named after Donald Trump himself. The researchers believe The Donald Trump Ransomware may be in a developmental stage because at the time of discovery it did not actually encrypt files or ask for ransom. Instead, it simply renames certain files in a manner that is entirely reversible. It is not clear how this particular ransomware is being distributed, but Desai told SC that “The attackers may be spreading it as a secret campaign document.” 

Zscaler found other election-themed cyber campaigns leveraging ads and website content. One online ad offered a torrent-based download for a Steam simulation game entitled: “Make America Great Again – The Trump Presidency.” Upon activation, the executable file opens a browser and directs the user to a web page offering downloads of potentially unwanted programs.

Botnets are often responsible for distributing spam emails such as the ones described above, but they can also pollute social media with unwanted content. Indeed, an academic research paper published last Friday reported that bots were likely responsible for about 20 percent of approximately 9 million election-related Twitter comments posted from 26 to 29 September.

In the majority of cases, the bots' tweets were decidedly partisan: According to the paper, about one-third of pro-Trump/anti-Hillary Twitter traffic was likely driven by bots, while bots likely generated one-fifth of pro-Clinton/Anti-Trump Twitter traffic. After discounting the fraudulent traffic, the researchers determined that Trump still would have outpaced Hillary in the number of tweets favoring his campaign.

“Bots have become a means of managing citizens, by going beyond simply padding follower lists to retweeting volumes of commentary,” stated the report, co-authored by researchers Professor Philip Howard at Oxford University, Bence Kollanyi at Cornivus University in Budapest, and Samuel Woolley at the University of Washington.

The trio of researchers considered tweets to be bot-generated if they came from an account that posted at least 50 times in a 24-hour period (although the paper acknowledges that extremely active users could potentially generate this volume of activity). Using this methodology, the researchers found that out of 2 million accounts, 4,500 were controlled by bots. “In other words, less than half a percent of the accounts generate almost a fifth of all the content,” the paper stated.

Meanwhile, a separate Symantec report warned of various ways hackers could impact an election by eroding citizen trust and even altering votes on a small scale.

For its “Hack the Vote” experiment, Symantec researchers purchased actual direct-record electronic voting machines from an auction website and looked for potential vulnerabilities. The reported stated that both the voting machine's internal hard drives and the external cartridges that store the votes lacked encryption, presenting “opportunities for hackers to reprogram and alter ballots.”

Moreover, the storage cartridges, which act like USB drives, could be compromised to infect a central voting database upon connection, allowing a hacker to modify or even delete vote tabulation, causing a recount in multiple precincts.

Precincts that hand out chip cards for use in conjunction with electronic voting machines have another problem as well: hackers could use a Raspberry Pi-type device to reset the card immediately after casting their ballot and then vote several more times before exiting the booth.

Some of these hacks would require unauthorised access to the equipment, which in some cases might prove difficult. Also, due to the decentralised nature of U.S. elections, any potential vote rigging would most likely be highly localised and minor in scope. Regardless, “it only takes one person to hack one machine in one precinct to bring into question all voting machine records,” said Brian Varner, principal researcher at Symantec, in an email interview with SC. “That's why one small hack will have a big impact, because it'll require all precincts to do recounts, forensics, etc. to rule out whether or not the hack actually occurred.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews