Fortinet’s FortiGuard Labs Reports on Darknet Threats Targeting 2024 U.S. Presidential Election

Phishing scams aimed at voters, malicious domain registrations impersonating candidates, and other threat activity designed to exploit unassuming victims take center stage as the U.S. election approaches

Sunnyvale, Calif. October 16, 2024

Derek Manky, Chief Security Strategist and VP of Global Threat Intelligence at Fortinet, emphasizes the importance of recognizing the cyberthreats that could jeopardize the integrity of the upcoming 2024 U.S. presidential election. “As we near this pivotal event, it’s essential to understand the potential risks that could affect the election process and the well-being of citizens involved. Cyber adversaries, including state-sponsored groups and hacktivists, are likely to ramp up their activities as the election approaches. Staying vigilant and proactively identifying and analyzing possible threats and vulnerabilities is vital to prepare for and defend against targeted cyberattacks that could exploit this critical period, potentially disrupting or swaying electoral outcomes.”

News Summary  

Fortinet^® (NASDAQ: FTNT), the global cybersecurity leader driving the convergence of networking and security, today released its FortiGuard Labs Threat Intelligence Report: Threat Actors Targeting the 2024 U.S. Presidential Election, which reveals and analyzes threats tied to U.S.-based entities, voters, and the electoral process. Key findings from the threat intelligence report include:

• Phishing Scams Targeting Voters Leading Up to the 2024 U.S. Presidential Election: Threat actors are selling affordable phishing kits on the darknet designed to target voters and donors by impersonating the presidential candidates and their campaigns.
• Malicious Domain Registrations on the Rise: More than 1,000 new potentially malicious domains have also been registered since the beginning of 2024 that follow particular patterns and incorporate election-related content and candidates, suggesting that threat actors are leveraging the heightened interest surrounding the election to lure unsuspecting targets and potentially conduct malicious activities.
• Darknet Landscape: Billions of records from the U.S. are for sale on darknet forums, including Social Security numbers (SSNs), personally identifiable information (PII), and credentials that could be used in misinformation campaigns and lead to fraudulent activity, phishing scams, and account takeover; approximately 3% of the posts on darknet forums involve databases related to business and government entities.
• Ransomware Landscape: FortiGuard Labs researchers noted a 28% increase in ransomware attacks against the U.S. government year-over-year based on observed leak sites.

Scams Targeting the U.S. 2024 Presidential Election Flood the Darknet

As elections draw near, cyber adversaries, including state-sponsored actors and hacktivist groups, are becoming increasingly active. The FortiGuard Labs research team has detected threat actors selling specialized phishing kits priced at $1,260 each, designed to impersonate U.S. presidential candidates. These kits aim to gather personal information such as names, addresses, and credit card details, particularly targeting donations.

Since January 2024, researchers at FortiGuard Labs have identified over 1,000 newly registered domain names featuring election-related terms and references to prominent political figures. Among these are fraudulent fundraising websites, like secure[.]actsblues[.]com, which attempt to mimic the legitimate ActBlue site (secure[.]actblue[.]com), a nonprofit fundraising platform and political action committee in the U.S.

The leading hosting providers for these election-themed websites are AMAZON-02 and CLOUDFLARENET. This reliance on well-known hosting services such as Amazon Web Services (AWS) and Cloudflare highlights how threat actors exploit these reputable platforms to lend credibility and stability to their malicious domains.

Furthermore, a significant number of these domains share a limited set of IP addresses, indicating a centralized strategy among threat actors to efficiently manage numerous malicious domains and conduct large-scale cyber campaigns.

No Shortage of Personal Data Being Sold Aimed at the U.S.

FortiGuard Labs analysis continues to show a significant number of diverse databases available on darknet forums targeting the U.S., including SSNs, usernames, email addresses, passwords, credit card data, date of birth, and other PII that could be used to challenge the integrity of the 2024 U.S. election. Specific highlights include:

• Over 1.3 billion rows of combo lists, which include usernames, email addresses, and passwords, signify a considerable risk for credential-stuffing attacks. In such attacks, cybercriminals use these stolen credentials to gain unauthorized access to accounts, making it a valid and substantial security concern.
• The discovery of 300,000 rows of credit card data, which include CVV, name, card number, expiration date, and date of birth, highlights potential financial fraud risks targeting voters and election officials.
• Over 2 billion rows of user databases on the darknet indicate a heightened exposure to identity theft and targeted phishing attacks.
• 10% of the posts on darknet forums are associated with SSN databases, which poses a significant threat by increasing the risk of personal data breaches.

The U.S. Government: An Increasingly Attractive Target for Cyber Threats

Ransomware attacks aimed at government agencies can significantly disrupt the electoral process and erode public trust in governmental institutions. In 2024, the FortiGuard Labs research team recorded a 28% increase in ransomware attacks targeting the U.S. government compared to 2023.

The darknet has emerged as a central hub for U.S.-specific threats, where malicious actors exchange sensitive information and devise strategies to exploit vulnerabilities. Approximately 3% of posts on these forums relate to databases connected to businesses and government entities. These databases contain critical organizational data, making them particularly attractive targets for cyber adversaries, especially as elections approach.

Recommendations to Prevent and Mitigate Cyberattacks This Election Season

Implementing robust cybersecurity measures is vital to ensuring the integrity of the U.S. 2024 presidential election. Adhering to fundamental best practices can help prevent and mitigate the impact of cyber incidents. A comprehensive list of recommendations and best practices can be found in the full report, but here are some key takeaways for citizens, business leaders, and election officials:

• Always remain vigilant for suspicious behavior or activity leading up to major events and prioritize good cyber hygiene.
• Prioritize employee training and awareness.
• Enforce multi-factor authentication and a strong-password policy.
• Install endpoint protection solutions.
• Patch operating systems and web servers and update software regularly.

About the Fortinet FortiGuard Labs Election Security Report

• This report provides an in-depth analysis of threats observed from January 2024 to August 2024. It examines the diverse array of cyberthreats that may affect U.S.-based entities and the electoral process.

Additional Resources

• Read the full FortiGuard Labs Threat Intelligence Report: Threat Actors Targeting 2024 U.S. Presidential Election.
• Learn about FortiRecon and generating reports like this for your organization.
• Learn about FortiGuard Labs threat intelligence and research and Outbreak Alerts, which provide timely steps to mitigate breaking cybersecurity attacks.
• Learn about Fortinet’s commitment to product security and integrity, including its responsible product development, vulnerability disclosure approach, and policies.

Follow Fortinet on X, LinkedIn, Facebook, and Instagram. Subscribe to Fortinet on our blog or YouTube.