Phishing Campaign Targets Login Credentials of Multiple U.S., International Government Procurement Services

The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organizations to match buyers and suppliers.

In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies. Victims duped into following the phishing email link would then be invited to login. Anyone who fell victim to the adversaries would have provided them with their credentials.

Spoofed organizations:

  • United States – U.S. Department of Energy
  • United States – U.S. Department of Commerce
  • United States – U.S. Department of Veteran Affairs
  • United States – New Jersey House and Mortgage Finance Agency
  • United States – Maryland Government Procurement Services
  • United States – Florida Department of Managed Services
  • United States – Department of Transport
  • United States – Department of Housing and Urban Development
  • DHL International courier service
  • Canada –  Government eProcurement service
  • Mexico – Government eProcurement services
  • Peru – Public Procurement Centre
  • China – SF-Express courier service
  • China – Ministry of Transport
  • Japan – Ministry of Economy, Trade and Industry
  • Singapore – Ministry of Industry and Trade
  • Malaysia – Ministry of International Trade and Industry
  • Australia – Government eProcurement Portal
  • Sweden – Government Offices National Public Procurement Agency
  • Poland – Trade and Investment Agency
  • South Africa – Government Procurement Service

At present, it is not clear who the threat actors are but it does appear to be a persistent attack. Spoofed phishing site domains are hosted in Turkey and Romania. The campaign is currently dormant.

The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question. Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organizations firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign.

Read more at Anomali

(Visited 96 times, 1 visits today)

The Government Technology & Services Coalition's Homeland Security Today (HSToday) is the premier news and information resource for the homeland security community, dedicated to elevating the discussions and insights that can support a safe and secure nation. A non-profit magazine and media platform, HSToday provides readers with the whole story, placing facts and comments in context to inform debate and drive realistic solutions to some of the nation’s most vexing security challenges.

Leave a Reply

Latest from Cybersecurity

SIGN UP NOW for FREE News & Analysis on topics of your choice across homeland security!

BEYOND POLITICS.  IT'S ABOUT THE MISSION. 

Go to Top