Iranian Hackers using Spoofed Emails to Steal Election Data

Hackers spoof Proud Boys

• The advisory stated that the Iranian APT actors are attempting to exploit misconfiguration and known vulnerabilities, such as directory traversal, SQL injection, web shell uploads, and unique flaws in election websites, using the Acunetix vulnerability scanner and advanced open-source queries.
• In addition, the hackers used paid VPN services such as NordVPN, CDN77, HQSERV, and M247, along with curl and FDM in the campaign.

Earlier preparation

• In mid-October, Proofpoint researchers observed emails purporting to be from a far-right and neo-fascist male-only organization, known as Proud Boys, threatening the recipient (Democratic voters).
• A few weeks ago, in a press conference, Director of National Intelligence (DNI) John Ratcliffe had stated that Iran and Russia have gained access to voter registration information and Iran has been using it to send out threatening emails to Democratic voters.

CISA and FBI advisories

• According to an FBI flash alert, in this fake Proud Boys campaign, the hackers had obtained copies of voter registration data between September 29 and October 17.
• On October 22, CISA and FBI published a joint advisory warning that Iranian APTs are attempting to obtain election data by creating fictitious media sites and spoofing legitimate media sites.

Security recommendations