A new phishing campaign is targeting supporters of President Donald Trump with a banking Trojan. This new politically targeted campaign was detected by Area 1 Security on August 21st of 2020. Victims are being lured into opening messages that appear to be from legitimate political action committees (PACs) but are, in fact, phony!
The messages refer to campaign issues and events, and victims who take the bait are infected with Emotet malware. According to Area 1 Security: “The attacker forwards a legitimate PAC mailer to develop a false sense of legitimacy, with entirely authentic content throughout the body of the message. Every link works and leads to benign web pages of the impersonated PAC.”
The Emotet downloader is contained in a Word document, which is attached to the email. Hackers have attempted to leverage Trump’s decision to temporarily withhold funding from the World Health Organization, pending the outcome of an investigation into the global health agency’s response to the Coronavirus pandemic.
One of the emails sent with the subject “Fwd: Breaking: President Trump suspends funding to WHO” called for recipients who agreed with the suspension of WHO funding to click on a button marked “Stand with Trump.” The hackers are also using Display Name Spoofing to hide the sender’s true email address.
While sender email addresses that were used to spread the WHO-themed spear-phishing messages varied, all came from a legitimate account that had been compromised by hackers. This tactic allows attackers to pass through email authentication protocols including DMARC.
Using hijacked email addresses would also make it difficult for victims to accept that hackers were duping them. Area 1 Security researchers found that compromised email accounts of several small businesses around the world were also used in each wave of this campaign that tricked victims with the same stolen Political Action Committee email content.
If you are still having trouble, consider contacting remote technical support options.