Many have watched the U.S. presidential debate last week, and while whether Barack Obama or Mitt Romney won the discussion is still up for debate among netizens, one thing is certain: the presidential campaign is on its last stretch towards the November 6th elections. One other thing that’s certain? Scammers exploiting this to the very end.
Our researchers have been looking into the data gathered through the global sensors of our Smart Protection Network. Below is a snapshot of election-related keywords that got several hits to malicious sites:
||# of Hits
Note that these hits are just for the past three months, and we expect it to increase as Election Day draws near. But what stood out for us is the number of hits for both candidates: apparently, when it comes to the number of failed attempts to access a malicious site, Obama gets the users’ vote. And cybercriminals agree: when we checked the number of unique domains blocked since January, there were 4 Obama-related domains for every 1 Romney domain.
This shouldn’t come as a surprise, given the incumbent President has had at least four years of pop-culture mindshare under his belt compared to Romney. Remember that as early as right after he won the 2008 elections up to his inauguration, Obama was used in several social engineering baits. Going back to the three-month snapshot, it can be seen that hits to Obama has seen its share of highs and lows, while the increase in Romney was consistent around the period when his candidacy was officially announced in August.
But looking at the type of threats and who the eventual victims were, both candidates are pretty much neck-to-neck. While it is quite obvious that most victims are from the United States and Canada, interestingly, the other top countries include those in Asia and Europe.
Majority of the hits are from disease vector URLs (i.e., those that eventually download malicious files on computers or host phishing sites) and spam-related, which was consistent with previous election-related threats.
Several malware have also taken advantage of these two candidates, as we’ve seen file names that range from the curious (Drunken Obama.exe, which we detect as ADW_MARKETSCORE), to the somewhat serious (several PDF files like Romney V. Obama Tax Policies.pdf, which we heuristically detect as HEUR_PDFEXP.E). And apart from the malicious mobile apps we’ve seen several weeks ago, based on our feedback, we’ve also seen infections from a relatively old SOHANAD worm, as well as from other AUTORUN malware (those that usually spread via removable drives) with backdoor capabilities, including the following:
So what do these tell us? This reinforces the fact that the bad guys have all the bases covered when it comes to exploiting popular events. Whoever wins come November 6th, end users will end up losing in one way or another if they’re not careful. So keep yourself informed. Get your news only from trusted sources, and make sure to have an Internet security solution installed on your devices.
Update as of October 11, 2012 7:30 AM PDT
We’ve found a spam run using the election as social engineering bait as well. The email is supposedly from CNN and contains news stories about the election:
However, instead of news articles, the links lead users to a variant of the ZeuS banking Trojan, delivered by the Blackhole exploit kit. We detect this variant as TSPY_ZBOT.NTW; in addition to blocking the malware we also block the malicious sites that were used by the Blackhole exploit kit in this incident.