Beware: US Elections Phishing, Malware, & Hoaxes

Beware: US Elections Phishing, Malware, & Hoaxes

This post is meant to act as a means to inform people that there may be hoaxes, phishing campaigns, click-bait, and malware related to and purporting to be related to the 2016 US Election. These are from my own perspective. While I make every effort to be thorough and hit every aspect, there are times that I inadvertently omit things or skip them due to scope, time, length or applicability. Email any questions you have about this or any other topic to [email protected]

DISCLAIMER: This is NOT a venue to debate or argue about the candidates, winners, losers, or politics in general.


I have not noticed anything phishy (in the information or cyber security realm) with regards to the 2016 United States Presidential Election. While this election was dramatic and media consuming, attackers will start to use it to capitalize off society’s increased levels of passion and emotion. This is especially relevant to your security posture. Landmark events, positive or negative, typically bring social engineers – namely phishermen and other fraudsters to tailor campaigns to sway people to fall for it.

This capitalizes off the aim for urgency, status quo, fitting in, or suspense in successful Social Engineering attacks. Read my advice below for some tips to stay secure.

POssible Scenarios

Here are a couple sample scenarios that the public may encounter:

Hillary Clinton focused Scenario

Beware: US Elections Phishing, Malware, & Hoaxes
Hillary Rodham Clinton

To appeal to Hillary supporters and those who oppose Trump, a campaign may have some sort of link to sign up for a mailing list for her or a link to some website with some juicy information. These will aim to get the victim to perform an action, as opposed to the other aim of Social Engineering – divulge information (beyond contact information). This will play to the victim emotions to attempt to compel them to take the bait. There may be elements of truth in the bait, but it will likely come as something sensationalized to ensure it piques the curiosity of the recipient.

Examples of alleged information and campaigns may include (but is not limited to):

  • A loophole that allows her to win
  • Something alleging that Trump was killed or arrested
  • Something alleging that President Obama may intervene
  • A condition that warrants a recount with enough swing or significance to sway the outcome
  • A claim of a cyber attack or other form of misinformation campaign

Donald Trump focused scenario

Beware: US Elections Phishing, Malware, & Hoaxes
Donald J. Trump

Similar to the Hillary Clinton focused campaign, the aim is to appeal to Trump supporters and those who oppose Hillary. Therefore, these will follow much of the same protocol as those with Hillary, but will have a different spin. This is meant to add to the jubilation of his supporters as opposed to feeding the anger, sadness, frustration, and other emotions associated with Hillary’s follower base. Keeping this in mind, the intended outcome is the same, the only difference is the psychological stimuli used to elicit the responses.

Examples of alleged information and campaigns may include (but is not limited to):

  • Something allowing you to share your support on social media platforms (which is a double attack since it will harvest your credentials to the platform)
  • A post or story alleging that Clinton was killed or arrested
  • Something in line with her emails, WikiLeaks, FBI Director Comey, Secretary of Justice Lynch



My advice to you in staying secure during these possible times for major hoaxes is to follow these tidbits of wisdom:

  • If it seems too good to be true – it probably is.
  • If it claims to give inside information or spoilers – it will probably spoil your system (with malware).
  • Only view reputable sites and social media for such news. If for a TV show like The Walking Dead, check AMC (or the appropriate network).
  • When clicking links on social media platforms, hover over the link and observe the website that it’s sending you to.
  • If the website is a shortened or obscure URL like (nothing against them, but this is a popular attack method), right click “Copy Link Address” and go to Virus Total (A Google Project) and select URL then paste it and “Scan It!”
    • This will tell you if the URL is known to be malicious. Just because it says no does not mean that the site is safe, it may have not been reported enough yet.
    • You can also use this site for uploading software to check it for malware as well.
  • Ask someone like myself or another information security professional.

How attackers can streamline this for your area

Simply, using hashtags associated with Election, Trump, Clinton, etc. would be a simple “spray and pray” approach. Alternatively, they can use Justin Nordine‘s OSINT (Open Source Intelligence) Framework. This allows various attack methods, but for this, I would recommend using the Social Networks > Twitter > Location / Mapping > GeoChirp or MIT Map. This allows me to look at maps of areas and see what is trending on Twitter in near real time if the person tweeting has location services on.

Alternatively, I can take a page out of Justin Seitz‘s book and write a python script that interacts with Twitter API (Automated Programming Interface) and look at tweets within a certain context: such as hashtag, user, or geographic area. Assuming that I was the attacker, I could use this to build tweets and poison the well per se. For this, I can integrate with other tools like OSINT Framework or Social Engineer Toolkit to build a good phish, back story, or pretext for attack.


O’Reilly Media is launching their inaugural Security conference in New York (Oct 31- Nov 2), with their first European event shortly after in Amsterdam (9-11 Nov), to provide infosec practitioners with pragmatic tools, techniques, and know-how for building better defenses.
Register today and save 20% (on Gold, Silver & Bronze passes) with discount code APS20. Plus, take advantage of the Buy One, Get One offer for the O’Reilly Security Conference. Simply purchase a pass and then request a unique code to get a free pass for a colleague. Learn more at


Implications of Powershell Going Open Source
Yahoo Data Breach: What We Know Now
Most of What You Need to Know: Wi-Fi
Cybersecurity & the US 2016 Presidential Election
Most of What You Need to Know: Passwords
Twitter Hacked?
Change Your Email Password Now!
Qatar Bank Breached After Bangladesh
Bangladesh Bank Loses 80 Million USD

Thanks for stopping by and checking out our podcast. We would appreciate if you could subscribe (assuming you like what you hear; we think you will).  To learn more about us, check out our “About Us” page.

Enter your email address:

Delivered by FeedBurner

Subscribe to our mailing list

* indicates required

About Joe Gray

Joe Gray joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is currently a Senior Security Architect and maintains his own blog and podcast called Advanced Persistent Security. In his spare time, Joe enjoys attending information security conferences, contributing blogs to various outlets, training in Brazilian Jiu Jitsu (spoken taps out A LOT!), and flying his drone. Joe is the inaugural winner of the DerbyCon Social Engineering Capture the Flag (SECTF) and was awarded a DerbyCon Black Badge. Joe has contributed material for the likes of AlienVault, ITSP Magazine, CSO Online, and Dark Reading.