Palo Alto Networks cybersecurity experts: The malware has several capabilities and, along with the gang’s name, references to Ascension of Isaiah 2:4.
Proofpoint: Someone is still trying to steal U.S. Voters personal information via phishing
Cybercrime-Cyber Espionage threat actors are still trying to collect U.S. voters personal information through phishing. It has been discovered by Proofpoint cybersecurity experts. Last week researchers explored messages using voter registration themes to entice users to share various pieces of personal information, such as their Social Security Number (SSN), Tax ID, and driver’s license details. Now, they identified additional efforts from the same actor, attempting to collect banking credentials and account numbers, along with the recipient’s “Vehicle licence Number [sic],” possibly a license plate or vehicle identification number (VIN) value. Hundreds of messages with links to the credential phishing landing page were sent to recipients across multiple organizations, though there is no clear targeting of any specific industry. The lures associated with this credential phishing site are similar to others sent by this actor, though they no longer mention any specific U.S. state.
The cybersecurity experts: Through links in emails, the potential victim is taken to a phishing landing page that requests a variety of information
According cybersecurity experts, upon clicking the “You may reconfirm application here” link, the potential victim is taken to a landing page that requests a variety of information, including name, contact information, and bank and email credentials. The UI of this information and credential phishing landing page is reminiscent of the previous pages researchers observed from this actor. This supports the theory that they are making small changes to rebrand or soliciting slightly different information with each iteration of their landing pages. With this iteration, the theme and branding appear to shift throughout each page of the form. The landing page initially requests the same information as in previous iterations: name, address, contact information, as well as SSN, Tax ID, and driver’s license number, issue date, and expiration date. It also has the same branding–the Election Assistance Commission (EAC) logo–as observed previously.
The cybercrime or cyber espionage threat actor studied an operation in 6 steps
Proofpoint revealed that the second page of the form shifts to a stimulus theme, possibly COVID-19-related, suggesting that the user should fill in their bank name, account number, and routing number to claim their stimulus. The branding in the upper left corner of the page shifts from the EAC logo to the U.S. government’s official web logo. The third page requests “Bank username or ID” and “Password.” still using the “claim your stimulus” messaging. The fourth, is nearly identical to the previous page, aside from changing “Bank username or ID” to “Email” in an attempt to collect email credentials. Finally, the page 5 title changes to “Voter Registration,” though the user is asked for the “Vehicle licence Number” [sic] of their automobile. Upon submission of the final page of the form, the user is sent to the official voter information lookup page for a western US state.