Threat Research

Urgent Notice: Phishing Alert for US Elections

Securonix

HYAS warns of a resurgence in phishing aimed at political donations as the US elections approach, including fake domains designed to impersonate legitimate donation platforms. Donors and political groups are urged to verify requests and use official sites (actblue.com and winred.com) to avoid falling victim to scams. #ActBlue #DomainSpoofing

Keypoints

  • The upcoming US election heightens public interest, making donors and political groups a target for cybercriminals.
  • Over $14 billion was donated in the 2020 US election, creating opportunities for exploitation.
  • Fake domains mimicking legitimate donation sites have resurfaced, posing risks to donors.
  • A phishing site, actsblue[.]com, has been identified, designed to look like the official actblue.com, and is linked to anonymity through his registrar choices.
  • Suspicious domains registered through domain.com share the same nameservers (ns1.dotster.com, ns2.dotster.com), suggesting coordinated malicious activity.
  • Donors are advised to verify the legitimacy of donation requests and use official donation websites (Republican: winred.com; Democratic: actblue.com).
  • The phishing tactics include multiple payment methods and unusual account names, indicating broader fraud capabilities and potential credential collection.

MITRE Techniques

  • [T1566] Phishing – Impersonation via fake donation-domain sites to collect funds. [‘Threat actors create fake domains to impersonate legitimate websites.’]
  • [T1583.001] Acquire Infrastructure – Domain registration to closely resemble legitimate sites and deceive users. [‘Registration of domains that closely resemble legitimate sites to deceive users.’]
  • [T1003] Credential Dumping – Potential collection of user credentials through phishing tactics. [‘Potential collection of user credentials through phishing tactics.’]

Indicators of Compromise

  • [Domain] Suspicious donation domains – actsblue[.]com, nationalcommittee[.]democrat, and 4 more domains
  • [Nameserver] DNS servers used by suspicious domains – ns1.dotster.com, ns2.dotster.com
  • [Email] Payment recipient email used in scam attempts – diazjohana394@gmail[.]com
  • [Bitcoin] Crypto address – bc1q856ynd25sf43suwcy4shlszdkkxk42ahlpe6ec
  • [Ethereum] Crypto address – 0xC8623b18327957751A2ffbEEdAd002319A52D367
  • [USDT_Ethereum] USDT ERC20 address – 0xC8623b18327957751A2ffbEEdAd002319A52D367
  • [USDT_Tron] USDT Tron (TRC20) address – TGfoTqZLc3SNYkataG8pBf1vTvDf3Z62QK

Read more: https://www.hyas.com/blog/special-bulletin-us-election-phishing-alert

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint