Watch out for the 'Vote Anonymous About Black Lives Matter' Phishing Email That Is Gaining Momentum

Black Lives Matter Phishing Scam

Cybercriminals watch the news. They watched it when the COVID-19 pandemic broke out and used the virus as a central part of some of their scams. They are watching it now as well. The protests sparked by George Floyd's death have swept over the US and are spreading to other countries as well. The Black Lives Matter human rights movement is at the center of the demonstrations, and a Google Trends chart can give you an idea of how much attention it has attracted over the last few weeks. It wasn't that hard to predict that sooner or later, its name would become a part of an online scam.

Cybercriminals use the name of a human rights movement in a phishing scam

A phishing scam centered around the Black Lives Matter movement is doing the round. The campaign was discovered by a security company called abuse.ch, and although there is no information on how widespread it is, it's apparently big enough to warrant the attention of mainstream media outlets like Forbes.

The scam is about as simple as they get. According to Forbes, the email's subject reads "Vote anonymous about Black Lives Matter," and the body simply says "Leave a review confidentially about Black Lives Matter… Claim in attached file."

The poor grammar and the ambiguity might just be enough to tip some people off. Curiously, the same exact characteristics could spring the trap for others. The email does appear to be put together in a hurry by people who have no imagination and a limited command of English, but when you think about it, you'll see that the mystery around the vote and the review users are supposed to leave, is very likely to lure many people into opening the attachment. This would be bad news for them because the campaign is distributing the infamous Trickbot trojan.

Hackers are still in love with Trickbot

Forbes' report doesn't explain what sort of attachment the crooks used for this particular campaign. It does point out that the malicious file is installing the Trickbot trojan on the victim's machine, though.

Trickbot first appeared around four years ago, which is an enormous amount of time in the cybersecurity world. Nevertheless, over the years, it has received a few updates, and according to abuse.ch's statistics, it's the second most prolific malware family at the time of writing.

It started its life as a banking trojan, and it's still capable of stealing login information. In recent months, however, it's been heavily used as a downloader for other malware families as well. In an interview for Forbes, an abuse.ch spokesperson said that Trickbot has recently been in a close relationship with the Ryuk ransomware, and the experts suspect that if the crooks aim their "Vote anonymous about Black Lives Matter" scam at corporate networks, they will try to deploy the file-encrypting malware.

It's not about sending a message, it's about the money

Some people might assume that by putting the Black Lives Matter name in the scam, the hackers are aiming their attack squarely at supporters of the movement. While it is tempting to demonize the hackers as, among other things, racist, it must be said that in this particular case, the victims' feelings on Black Lives Matter probably aren't very important to the crooks.

When they're distributing coronavirus-themed phishing emails, they're not targeting health-conscious individuals, and in much the same way, they're not using the name "Black Lives Matter" to somehow put a spoke in the organization's wheels. If they wanted to do that, they would be using different tools and different attack methods.

In both cases, the hackers are using frontpage news events to ensure that their victims click on malicious links or attachments. For them, it's all about monetizing the user's stolen passwords or encrypted files.

June 12, 2020

Leave a Reply