Election Spam Trumps Phishing As November Draws Closer

August 10, 2016
Proofpoint Staff

Overview

Presidential elections, like many other major events and seasonal occurrences, are prime time for spammers and cyber attackers to incorporate timely and relevant lures into their operations.

As we approach November in an especially sensational Presidential race, Proofpoint researchers have seen a variety of election-themed emails - everything from straightforward text-based spam with embedded links to credential phishing. In terms of our themes, our spam samples skew heavily towards lures featuring Donald Trump. The Republican nominee appears in nearly 169 times as many messages as those featuring his Democratic opponent, Hillary Clinton.

Analysis

We scanned subject lines in spam messages detected across our customer base in June and July for occurrences of "clinton" or "trump" and observed a disproportionate number featuring only "trump." Figure 1 shows the relative volumes of messages mentioning one or both candidates in the message Subject in June. Overall, Trump appeared over 270 times more often in June than Clinton alone and 34 times as often as either Clinton or both candidates.

election-spam01.png

Figure 1: Spam volumes in our samples strongly favored Trump-themed lures during the month of June.

This trend was also noticeable the following month, though in a slightly less lopsided fashion. Trump-themed lures appeared just 67 times more often than Clinton-themed lures in July (Figure 2).  This disparity between the two months was the result of two particularly large campaigns in June featuring Trump-related lures.

election-spam02.png

Figure 2: Election-related spam volumes favored Trump-themed lures even more heavily in July.

As the boost from the two outlier Trump campaigns faded, overall election-related spam volume fell sharply in July. Still, the median number of messages per day (a measure less affected by outliers) rose 37%.

July’s median trend is more in line with our expectations that attackers would seek to make the most of public attention around the Democratic and Republican conventions. Figure 3 shows the changing volumes by month and the relative volumes by candidate. Across both months, Trump-themed lures were almost 170 times as common as those featuring only Clinton and 33 times as common as lures featuring both candidates.

election-spam03.png

Figure 3: Overall volumes increased dramatically by month, while the divide between Trump- and Clinton-related spam volumes deepened.

Figure 4 shows a typical example of a Trump-themed, graphical message. The message featured in Figure 5 followed a more common, text-based format.

election-spam04.png

Figure 4: An example of a Trump-themed message using faked CNN imagery and spoofed CNN addresses to lend legitimacy.

election-spam05.png

Figure 5: A different text-based Trump-themed message with embedded links leading to unrelated materials.

Whether they used graphics or text, the lures followed two general themes:

  • Surprising election news by or about Trump: These usually had a fake sending alias of a major news organization like CNN or Fox News. Names and sometimes branding for both liberal and conservative news outlets were used in these lures.
  • "Get rich / smart like Trump”: These sometimes included subtitles such as "Wall Street is outraged" and similar messages with fake sending aliases that appeared to come from consumer finance publications like “CNN Money”.

We also observed an election-related credential phishing attempt that enticed users to log in to Gmail to "verify their identity" in order to participate in a voter poll (Fig. 6). However, to date this has not been a common tactic. Instead, more traditional lures to click through to work-from-home sites and common spam targets appeared much more frequently.

election-spam06.png

Figure 6: A Gmail phishing link using election themes to convince recipients to enter their credentials.

Conclusion

As Patrick Wheeler, Director of Threat Intelligence at Proofpoint, noted, "This is a contentious election, so we expected high volumes of election-related spam as threat actors capitalize on public attention. What we didn't expect was the very lopsided use of lures related to a single candidate."

Whether these trends will shift as we get closer to the November election remains to be seen. Regardless of the specific subjects and lures spam actors use, individuals and organizations need to exercise particular caution in opening and interacting with election-related mail they receive. Many of these messages are merely annoying. But others can be malicious, relying on our curiosity about the elections to lead us to phishing pages, compromised websites, and more.