Donald Trump’s presidential campaign is known for aggressively trying to raise money, even sending emails to donors hoping to cash in on setbacks like his conviction late last month on 34 felony counts for illegally influencing the 2016 campaign.

Bad actors now are trying to do the same, running donation scams by impersonating the campaign and sending out phishing emails and texts to Trump’s MAGA voters seeking donations, according to researchers with cybersecurity firm Netcraft.

The scams follow the ex-president’s campaign’s announcement in May 21 it would start accepting cryptocurrency donations and the convictions in the felony trial in New York City 10 days later, which helped the campaign raise a reported $50 million in the days following the court case.

“With millions of emails and texts sent by the real campaign, scammers are exploiting recent interest to trick would-be donors into visiting a lookalike domain,” the Netcraft researchers wrote in a report. “Those behind these donation scams also identified the opportunity and immediately pivoted their strategy to mirror what was happening on the legitimate campaign site, with many direct impersonations of campaign resources.”

The donation schemes are the latest evidence that threat actors will take advantage of high-publicity situations, from sporting events to humanitarian crises to, in this case, presidential politics to run scams and steal money.

Multiple Payment Methods

Regarding the crypto donations, the Trump campaign takes in the digital currency through Coinbase and accepts a range of cryptocurrencies, such as Bitcoin, Ether, US Dollar Coin, Shiba Inu Coin, and Dogecoin. The Trump National Campaign said such donations are open to any “federally accredited donor.”

The day after the donation announcement, bad actors registered myriad bogus domains, such as donalbjtrump[.]com – which Netcraft researchers wrote “mirrored almost exactly the Trump campaign page in content and design” – and doonaldjtrump[.]com to lure people to their websites.

When the jury returned the guilty verdicts against Trump May 31, the campaign directed all incoming traffic coming into its site to the donation pages, hoping to capitalize on a mobilized donor base. Threat actors noticed the amount of money the campaign said it was bringing in.

“Those behind these donation scams also identified the opportunity and immediately pivoted their strategy to mirror what was happening on the legitimate campaign site, with many direct impersonations of campaign resources,” they wrote.

Adapting to Changes

The scammers not only moved in quickly when the opportunities cropped up, but also made strategic adjustments to adapt to the changing circumstances. The hacker behind the initial site registered as donalbjtrump[.]com that almost looked like a carbon copy of an actual campaign back adjusted quickly after the verdicts were announced to revamp the site to look closely like the Trump committee’s “Never Surrender” site, aiming to take advantage of the “urgency from Trump supporters and their potential victims. With the Trump campaign collecting more than $50M in a 24-hour period, there’s no telling how much might have been lured away by the criminals behind these scams,” the Netcraft researchers wrote.

Similarly, another fake domain was made to look almost exactly like a legitimate campaign site offering donors the chance to meet Trump at a dinner at his Mar-a-Lago residence in Florida. However, one clue that the bogus site was fake was the pitch that people who donated $2,000 could come to the dinner, an amount much too low to actually have come from the Trump campaign.

In addition, the cybercriminals are giving the victims of their scams multiple ways to pay. Rather than using the legitimate Coinbase Payments service offered by the Trump campaign, the bad actors are including phishing pages impersonating CoinGate and crypto payment flows using payment gateways Plisio and Oxapay.

The Netcraft researchers also saw scams that use traditional payment options, such as those that will selectively redirect the payment back to the legitimate campaign if the target selects a non-crypto payment method.

Using AI for Evil

Since generative AI hit the scene, cybersecurity pros have noted the use by threat actors of the technology to make their phishing emails more convincing. Typically the messages tend to be full of spelling and grammatical errors, which makes them easy to detect.

The messages in these latest campaigns “break from convention as they are very well structured, use proper English and grammar, contain nuanced language unique to the Trump campaign, as well as repetitive use of some key phrases,” the researchers wrote. “Analysis run on the messages reveals there is a very high likelihood the content was created using AI.”

They spotted this through the use of an AI-powered platform that was introduced in May and created to interact with cybercriminals, essentially conversing with the bad actors to gain insights into their operations and hopefully disrupt them. The Conversational Scam Intelligence platform was used to strike up a back-and-forth dialogue with one of the scammers and it was by looking over that peer-to-peer that the researchers saw that such typos and awkward grammar in the writing of the phishing lures were not present.

Netcraft also uses these discussions to coax information about the bad actors’ operation and in this case got threat intelligence that included mule bank accounts, payment application details, and email addresses.

“In addition to collecting critical data that can be utilized to disrupt attacks and dismantle infrastructure, this dialogue with the scammers confirms a popular concern that criminals are leveling up and using AI to create better, faster, and more believable scams,” they wrote.