recently expanded beyond offering rewards for information on terrorism. Important
to this context, Congress extended RFJ authorities in 2017 to include offering
rewards for information on individuals or entities acting at the direction of a
foreign government in violation of the Computer
Fraud and Abuse Act (CFAA). This act criminalizes unauthorized computer
intrusions and other forms of fraud related to computers. Persons engaged in
certain malicious cyber operations targeting election or campaign
infrastructure may be subject to prosecution under the law. Among other
offenses, the statute prohibits unauthorized access of computers to obtain
information. This reward offer does not
cover disinformation activities, like trolling or creation of fake online
personas, which do not violate the CFAA.
New Reward Leads to
Defensive Russian Response, Cyber Scam Campaign
August 5, Rewards for Justice began offering a reward of up to $10 million for
information leading to the identification or location of any person who works
with or for a foreign government for interfering with U.S. elections through
certain illegal cyber activities that violate the CFAA. Due to the
interconnected nature of communications and networks, RFJ’s is a worldwide
campaign offered in multiple languages, including Arabic, Dari, English, Farsi, French, Korean, Mandarin, Pashto, Russian, Somali, Spanish, and Tagalog.
5, State Department’s Global Engagement Center released a report on Russian
disinformation and propaganda efforts titled, “Russia’s Pillars of
Disinformation and Propaganda.” Subsequent to the award announcement, it
appears that malignant cyber actors began their spear phishing and spoofing
campaigns. Employees of a foreign government were the recipients of SMS-based
spear phishing attempts impersonating the RFJ program. The message provided a
URL that would open a
WhatsApp chat to a phone number in the (424) area code, in/around the Los
Angeles, and a second URL that would open a Telegram link to the spoofed State
Department tip line, “@meddlinghotline.”
has previously used SMS text messaging to advertise its reward offers around
the world. Although the bogus messages attempted to impersonate RFJ
advertising, the authentic RFJ texts included links to RFJ’s official,
verified, in-language social media accounts, which provided more information on
the reward offer and RFJ’s contact information. The fake text messages would
not necessarily have seemed out of the ordinary to foreign recipients used to
or aware of RFJ digital advertising. Native English speakers might immediately
have realized “@meddlinghotline” to be fake, but those unaware of the
connotation of the word “meddling” may not have let that stop them. (This may
well have been the result of poor translation, a common thread among electronic
scams for decades.) Adding to the appearance of legitimacy was a coincidence
that some recipients received the messages via the same number as legitimate
Google two-factor identification tokens. These isolated instances, which could
have served to legitimize the messages even among those savvy enough to
understand cyber scams, were unfortunate but entirely coincidental.
RFJ has identified attempts to impersonate its tips lines, and advises
global audiences to be cautious and careful to only contact tips lines posted
to official (blue check marked) RFJ social media accounts.
the spoofed tip lines apparently involved only the Iran-focused RFJ efforts, the
RFJ reward offer and Russian response came amid growing public U.S. initiatives
to pressure Russia and other malign actors over their continuing attempts at
elections interference and disinformation.
15, the Secretary of State declared that he was “confident” foreign actors,
including the governments of China, Iran, North Korea, and Russia would seek to
interfere in the 2020 U.S. elections.
24, the ODNI National Counterintelligence and Security Center released an
unclassified public assessment of threats to the 2020 elections, which outlined
some operations by the governments of China, Iran, and Russia to influence the
elections. ODNI released an updated unclassified public assessment on August
- And on August
18, the Senate Intelligence Committee released the fifth and final volume
of its report on Russian interference in the U.S. 2016 presidential election,
detailing Russian cyber actors’ hack-and-leak tactics, techniques, and
procedures. A Kremlin spokesperson criticized the report as “another in a
series of paranoid reports” leading up to the election in November, but within
two weeks, U.S. authorities uncovered the RFJ campaign.
What does this mean for the private sector?
this is not an instance of direct private-sector targeting. However, besides
inadvertent accessing of spoofed links and benign response to spear phishing
attempts, there may be a higher likelihood of malicious intent involving
organizations doing business in certain locations and within certain industries
somehow of interest to the sponsor of these attacks. For instance, Russian
entities may be more interested in targeting actors in Ukraine or the Baltic
countries, whereas Chinese entities may have more interest in those operating
in Hong Kong, Taiwan, or Southeast Asia. Either would likely have high interest
in civil society organizations, including those focusing on international
development, human rights, and democratization, but also on businesses whose
trade secrets are of the most importance to their own national goals. For
security managers in any of these organizations, and any others, it remains
imperative to pass accurate cybersecurity information to their personnel, and
to make them understand that even actions taken on private time, on private
devices could have negative repercussions for their employers. Security
managers and personnel alike should also know how to respond to suspected
scams; in this case, you can report suspected problems directly to OSAC or RFJ.
attacks use electronic communications like email, text messages, and mobile
chatting apps, along with malicious websites to solicit personal information by
posing as a trustworthy organization. For example, an attacker may send email
seemingly from a reputable credit card company or financial institution that
requests account information, often suggesting that there is a problem. When
users respond with the requested information, attackers can use it to gain
access to the accounts. Attackers often take advantage of current events and
certain times of the year, such as natural disasters, epidemics and health
scares, economic concerns, major political elections, and holidays.
What are common
indicators of phishing attempts?
sender’s address: The sender's address may imitate a legitimate business.
Cybercriminals often use an email address that closely resembles one from a
reputable company by altering or omitting characters.
greetings and signature: Both a generic greeting—such as “Dear Valued Customer”
or “Sir/Ma’am”—and a lack of contact information in the signature block are
strong indicators of a phishing email. A trusted organization will normally
address you by name and provide their contact information.
hyperlinks and websites: If you hover your cursor over any links in the body of
the email, and the links do not match the text that appears when hovering over
them, the link may be a spoof. Malicious websites may look identical to a
legitimate site, but the URL may use a variation in spelling or a different
domain (e.g., .com vs. .net). Additionally, cybercriminals may use a URL shortening
service to hide the true destination of the link.
and layout: Poor grammar and sentence structure, misspellings, and inconsistent
formatting are other indicators of a possible phishing attempt. Reputable
institutions have dedicated personnel that produce, verify, and proofread
- Suspicious attachments: An
unsolicited email requesting a user download and open an attachment is a common
delivery mechanism for malware. A cybercriminal may use a false sense of
urgency or importance to help persuade a user to download or open an attachment
without examining it first.
What are common ways
to spot fake social media accounts?
are several simple ways to spot the more obvious fake social media accounts,
spelling, and punctuation errors in messages;
usernames or handles;
with a high follower count, but low levels of engagement from followers; and
- A lack of original content, but
instead repeatedly pushing spam or other suspicious linked content.
further information on Rewards for Justice, visit its official website or
interact with one of its social media accounts. For further information on
cybersecurity, including spear phishing and spoofing, contact OSAC’s Cyber Team, and consider the following