While US businesses and local elections were the main targets of a 2023 credential-stealing campaign, 27 Australian organisations were also in the hackers’ sights.
Editor’s note: This story first appeared on HR Leader’s sister brand, Cyber Daily.
A security researcher with Sophos X-Ops – the security company’s threat response team – has outlined a widespread phishing campaign based in Russia that targeted almost 800 businesses, individuals, and even elections.
Throughout late 2023, a campaign that appears to have originated in Russia sent out more than 2,000 phishing emails in an attempt to steal login credentials and money via gift card scams.
The emails were sent using a Russian email service and were marked with a timestamp that suggested they were sent from the Moscow/St Petersburg timezone.
The majority of the more than 2,000 emails targeted US organisations and individuals, but 27 targets were Australian organisations – making Australia second only to the US, where 727 entities were targeted.
The UK was the next most targeted country, with 19 organisations in the firing line.
The twist in the tale, however, is that one of the targets was a Sophos X-Ops analyst, Andrew Brandt – and the scammers behind the campaign never worked it out.
Last year, Brandt was running for a local school board election in Colorado, and as such, he’d shared his details for a public register of candidates – which the hackers were clearly taking advantage of. In September, he received an email that purported to be from another candidate, asking for assistance. But while the email featured that candidate’s name, the actual address was a different email – one that used a free Russian webmail service, Smailru.
Recognising the signs of the scam in progress, Brandt strung the scammer along and was eventually asked to buy five US$100 gift cards. The emails petered out, but Brandt received a second email in late October, this time pretending to be from the school board’s president, but again from the same Russian webmail.
Days later, another email came in, this time using the logo from Brandt’s own election campaign, and this time attempting to steal his login credentials via a fake version of his own website. Upon examination, Brandt discovered that any credentials entered into this fake site were exfiltrated to a Telegram channel via the messaging service’s own API.
After three login attempts, Brandt was redirected to his legitimate website, presumably in an attempt to obfuscate the credential theft.
Alert to the campaign, X-Ops was able to establish the extent of the operation, which lasted from 1 September to 8 November, which was the day after election day.
While most of the entities targeted were not related to political campaigns – most emails went to organisations in “municipal and regional government agencies, healthcare providers, energy industry companies, and operators of critical infrastructure – Brandt said the campaign proves that election campaigns can still be a non-political target for scammers.
“Election campaigns operate like any business and are subjected to the same kinds of threats that target businesses, such as financially motivated schemes and credential theft. Whether you’re working for a business or a political campaign, chances are you receive some amount of email from people you don’t know – emails that indicate some sense of urgency,” Brandt said.
“It’s this impulse to respond quickly that can lead to trouble. Anyone with their contact information available online needs training in how to recognise these types of attacks, and tools like multifactor authentication on email and other accounts act as a safety net against phishing.”