A mysterious new phishing campaign is targeting government departments and related business services around the world in cyberattacks that aim to steal the login credentials from victims.
Anyone who enters their login credentials into the spoofed government agency websites will give cyber criminals access to their account.
The campaign has been discovered and detailed by cybersecurity researchers at Anomali; but while it’s clear a lot of work has gone into what researchers describe as a ‘persistent’ campaign, it’s unclear who is behind the attacks or what their ultimate motivations are. It could be an effort to conduct corporate espionage.
“It could be that the adversaries are trying to gain access to potential bidders to undercut the competition or to compromise government suppliers for more long-term gain,” Sara Moore, cyber-threat intelligence analyst at Anomali, told ZDNet.
The majority of the attacks focus on government departments, but a small percentage also target procurement and logistics firms related to the targets.
The country in which the largest number of these attacks have been seen is the United States with the U.S. Department of Energy, U.S. Department of Commerce and U.S. Department of Veterans Affairs among those targeted.
Those behind the attacks have been careful to create unique lures for each of their targets, using phishing emails containing a lure document purporting to be related to bidding and procurement activity of the department. In each case, the phishing email is written in the native language of the target department’s country.
For example, a phishing email targeting the U.S. Department of Commerce claims to contain information related to bidding on commercial products and services, with the target encouraged to open a lure document. The document contains an embedded link, which the target is encouraged to click through to – and it’s this that leads to one of the phishing websites.
Like the email and document lures, the phishing website is designed to look like the real one used by the agency or company that’s being targeted. These websites have legitimate names, information and documents used by the target in an effort to appear more authentic and avoid suspicion by the user.
While it isn’t known what sort of cyber-criminal operation is behind the spoofed websites and associated phishing campaigns, the domains are being hosted in Turkey and Romania. However, although that location doesn’t reveal who could be behind the attacks – because the attackers could set up phishing sites from any county in the world and could use any country to host the domains. During Anomali’s investigation, a total of 62 domains and 122 phishing websites were uncovered.
Researchers have notified the relevant CERTs (Computer Emergency Response Teams), informing them about the attacks – although it’s currently unknown if the attackers have managed to make away with any stolen credentials.
However, there are things that organisations in all sectors can do in an effort to protect themselves from this campaign or any other phishing attack.
“Organisations should make sure they have access to threat intelligence and research that provides details about the existence of these types of attacks. They should have the ability to integrate intelligence and research into their security infrastructures to enable detection, blocking, and response,” said Moore.
“Security-awareness training that teaches employees how to spot and report suspicious phishing email is also crucial,” she added.
We’re Urban Network, we can help save your Business.
We specialise in managed IT & technology services to help businesses across London & the wider-South East, from our base in Wapping, East London.
Urban Network has a proven track record, with extensive experience and a full portfolio of industry accreditations & certifications.
Among our range of skills, we have a specialism in boosting productivity. Ensuring we aid our clients with employing the best & most appropriate practices, procedures and tools to increase efficiency in the workplace.
If you have any concerns or challenges with your technology generally, we would like to hear from you. Please contact the team today.