Multiple government procurement services were targeted by a credential harvesting campaign that uses bogus pages to steal login credentials. Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted 12 countries, including the United States, Canada, Japan, and Poland.
The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers.
In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies. Victims duped into following the phishing email link would then be invited to login. Anyone who fell victim to the adversaries would have provided them with their credentials.
This credential harvesting campaign has been primarily targeting government bidding and procurement services. The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question.
Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organisations firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign. At the time of writing none of the sites in this campaign were active, Anomali researchers consider it likely that the actors will continue to target these services in the future.
The use of bogus login pages continues to be a popular method for credential harvesting campaigns. The Trend Micro Cloud App Security solution blocked 2.4 million attacks of this type in the first half of this year — a 59 percent increase from 1.5 million in the second half of last year.
Organizations should look into adopting advanced technologies such as the Trend Micro Cloud App Security solution. It combines artificial intelligence (AI) and computer vision in order to help detect and block attempts at credential harvesting in real time.
After suspected phishing emails go through sender, content, and URL reputation analyses, computer vision technology and AI will examine the remaining URLs to check if a legitimate login page’s branded elements, login form, and other website components are being spoofed.
For this campaign, threat actors used phishing emails carrying documents written in the language of the country being targeted. The phishing emails were also found with URLs to fake but legitimate-looking login pages. If the recipient of the phishing email clicks on the malicious URL, they will be redirected to a login page that is an imitation of a legitimate website the campaign is spoofing. A login attempt will then lead to the theft of the user’s credentials.
Aside from the websites of international government departments, those belonging to email services and two courier services were also spoofed by the threat actors. The U.S. Department of Energy, Canada’s Government eProcurement service, China’s SF-Express courier service, and Australia’s Government eProcurement Portal were some of the target organizations.
Email users should always be aware of the latest phishing tactics in order to avoid falling victim to credential harvesting attacks. After all, such attacks are becoming highly deceptive; in fact, it has become relatively easy for cybercriminals to obtain a .gov domain that they can use to further disguise their schemes.
To minimize the chance of becoming a victim, users can be cautious of emails from individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers, especially with stricter data privacy laws; look out for grammatical errors and spelling mistakes in suspicious emails. Emails from legitimate companies are often proofread to ensure that the materials they send out are error-free.
Emails that call on a sense of urgency or have an alarmist tone should not be hastily acted on. If in doubt, recipients should verify the status of their accounts with their company’s system administrator or service provider.
No comments:
Post a Comment