The Republican Party of Wisconsin confirmed Thursday that fraudsters used phishing emails and doctored invoices to steal $2.3 million earmarked for President Donald Trump’s reelection campaign.
The Republican political organization, which is operating in a battleground state for next week’s presidential election, discovered on Oct. 22 that it had been victimized by a phishing attack, according to a statement posted Thursday.
“On Friday morning, October 23rd, we notified the FBI that as a result of this cyberattack, hackers obtained $2.3 million through doctored invoices under the name of WisGOP vendors,” according to the statement.
Wisconsin GOP Chairman Andrew Hitt says the attackers were able to steal the money by altering invoices. The GOP organization did not release further details about the attack.
“Cybercriminals, using a sophisticated phishing attack, stole funds intended for the reelection of President Trump, altered invoices and committed wire fraud,” Hitt says. “While a large sum of money was stolen, our operation is running at full capacity with all the resources deployed to ensure President Donald J. Trump carries Wisconsin on November 3.”
Kevin Epstein, vice president and general manager of security firm Proofpoint, believes this security incident was a business email compromise-style attack, citing the fact that GOP invoices were altered.
“If threat actors were able to modify invoices and payments, it could be a sign that an email fraud attack occurred,” Epstein tells Information Security Media Group. “BEC attacks use carefully crafted, customized emails that often ask specific people to wire funds urgently, pay an invoice to a new bank account or even send W2s – all while pretending to be the victim’s boss, vendor, partner or colleague.”
Although the attack took place in the final days before the Nov. 3 election, it’s unlikely the Wisconsin incident was just politically motivated, Epstein says.
“BEC is undoubtedly the most damaging and expensive security problem facing organizations today across all industries. If you are an organization with a bank account and an email address – you are a target,” Epstein says. “While we can’t speculate on political motivations, financial gain certainly seems to be part of the equation.”
Over the years, BEC schemes have become more lucrative. The FBI Internet Crime Complaint Center reported in February that it received 24,000 complaints about BEC scams in 2019. These scams caused losses totaling $1.7 billion and an average loss of about $72,000 per victim (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
Earlier this month, security firm Agari published a report that found about 25% of the BEC criminal gangs that it tracks are now located in the U.S., with most operating out of California, Georgia, Florida, Texas and New York (see: More BEC Criminal Gangs Are Based in US).
“Unfortunately, email fraud messages have a low barrier to entry for cybercriminals,” Epstein says. “They are easy to create, require almost no technical expertise, often don’t feature malware that traditional security technologies catch, and, most importantly, they simply rely on people to click and act. In order to combat losses.”
Because cybercriminals are adept at using spear-phishing attacks to obtain the credentials needed to conduct a BEC scam, Epstein suggests a layered defense that includes worker education, email authentication and dynamic email classification.
In one recent campaign that Trend Micro analyzed, scammers aimed to capture the Office 365 credentials of executives, especially those working in finance, and then create phony documents and invoices sent to lower-level employees (see: BEC Scam Targets Executives’ Office 365 Accounts).
Some attackers focus on using legitimate file-sharing websites and invoice-themed phishing attacks to steal credentials and spread malware, Aaron Higbee, CTO and co-founder of Cofense, previously told ISMG in a video interview (see: Phishing Attacks Dodge Email Security).
By Doug Olenick