Trump, Sanders Are the Top Brands for Cybercriminals

political spam democratic primary

An analysis of spam subject lines and malicious domains shows that attackers have been betting on Trump and Sanders to snag public interest.

Unwanted and malicious emails using political-themed lures has spiked as the presidential primary season cranks into high gear – with Donald Trump and Bernie Sanders representing the lion’s share of subject line themes.

Since the beginning of the year, Proofpoint researchers have tracked subject lines in what it calls “Unsolicited Commercial Email” or UCE, using the last names of candidates in the 2020 elections. Through Feb. 29, researchers found a strong correlation between the visibility of political candidates and the amount of spam that uses their “brands” in the subject lines.

For instance, Trump-related UCE in the first two months of the year saw more than twice the volume of the Democratic front-runners combined.

“Overall UCE volumes mentioning individual candidates suggests that Donald Trump not only has the incumbent’s advantage but also maintains the strongest brand as he did in 2016,” researchers said in a posting issued on Super Tuesday.

Democratic front-runners during the analysis period, including Joe Biden, Michael Bloomberg, Pete Buttigieg, Amy Klobuchar, Bernie Sanders and Elizabeth Warren, all had ebbs and flows in their presence in UCE, depending on how their campaigns were doing. This variation in UCE volumes “roughly corresponds to shifts in polling, major events in the election season, and changes in relative market strength,” the analysis pointed out.

As an example, Bloomberg-related UCE spiked significantly in the leadup to his first and only debate performance, in the Nevada debate on February 25. After that, which was widely seen as a low-water mark for the former New York mayor, Sanders- and Biden-related volumes increased steadily, suggesting that they received a “brand boost” from the event.

However, the sentiments in the subject lines analyzed since the beginning of the year ran the gamut between pro-candidate and anti-candidate.

“While we did not conduct a complete sentiment analysis of subject lines, anecdotal examination suggests that subjects included a mix of both positive and negative language for all candidates,” according to the posting. “Polarizing brands simply give illicit email actors more fodder for subject lines in emails that may lead to anything from affiliate spam landing pages unrelated to the presidential campaign to attack or misinformation sites.”


In 2020, Proofpoint also began tracking malicious domain registrations that referenced U.S. presidential candidates. The term “Trump” showed in in more than half of the identified suspicious domains, such as those used for fraud, those potentially violating copyright, brand infringement, and more.

As for the Democrats, “unlike illicit email volumes, in which Sanders-related email subjects were within a few percentage points of other top Democratic candidates, Sanders-related domains made up over a quarter of new suspicious domains,” Proofpoint researchers wrote.

“While looking over the two-month study period at suspicious domain registrations does not reveal obvious event-related spikes as we observed with UCE volumes, [we saw] a steady increase in Sanders-related domains from mid-February as the candidate emerged as a front-runner. Relative numbers of Trump-related domain registrations dropped in February as threat actors appeared to turn their attention to Sanders, and, to a lesser extent, Biden, Warren and Klobuchar.”

The firm noted that in some ways, UCE and domain registrations could serve an informal predictive function. Since social-engineering-based cybercriminals have their finger on the pulse of public opinion and hot topics, they make good political handicappers.

“UCE volumes do appear to have predictive value in high-profile elections given how carefully spammers apparently track public opinion and align themselves with strong brands,” according to the analysis. “This also speaks to how candidate branding relates to success in modern elections and gives a path for us to further study potential causal relationships between spam and election outcomes.”

The researchers also noted that malicious activity is also an important part of influence campaigns: “High-volume spam with well-crafted clickbait lures not only reinforce brands through familiarity but address Cialdini’s principles of influence relating to authority and social proof.”

Cybercriminals attempting to capitalize on current events or zeitgeist is nothing new, as seen in the recent coronavirus-themed spam campaigns, or even the World Cup-themed offensives that crop up every four years. Emotet also recently turned up in a timely spam campaign in December that used climate-change activist and Time Person of the Year Greta Thunberg as a lure.

Interested in security for the Internet of Things and how 5G will change things? Join our free Threatpost webinar, “5G, the Olympics and Next-Gen Security Challenges,” as our panel discusses what use cases to expect in 2020 (the Olympics will be a first test), why 5G security risks are different, the role of AI in defense and how enterprises can manage their risk. Register here.

Suggested articles

It’s Not the Trump Sex Tape, It’s a RAT

Criminals are using the end of the Trump presidency to deliver a new remote-access trojan (RAT) variant disguised as a sex video of the outgoing POTUS, researchers report.