Credential Harvesting Campaign Targets Government Procurement Services

A credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

Multiple public and private sector organizations use procurement services targeted in this campaign, which spoofed sites for multiple international government departments, email services, and two courier services. 

The attackers sent phishing emails to trick intended victims into accessing spoof phishing sites that masqueraded as legitimate login pages relevant to government agencies. 

Anomali published an extensive report (PDF) detailing the campaign, but refrains from making an attribution. However, the cybersecurity solutions provider says that the attack appears to be persistent, although dormant at the moment, and that the phishing site domains are hosted in Turkey and Romania. 

Lure documents sent via email were likely written in native languages, except for the document used in South Africa, which is in English. 

Anomali’s security researchers discovered a total of 62 domains and approximately 122 phishing sites. The sites use Domain Validation (DV) certificates issued by “cPanel, Inc,” with subdomains that contain a secure, verification, bidding or delivery theme. 

Spoofed organizations included the United States Department of Energy, Department of Commerce, Department of Veterans Affairs, New Jersey House and Mortgage Finance Agency, Maryland Government Procurement Services, Florida Department of Managed Services, Department of Transportation, and Department of Housing and Urban Development. 

The attackers also spoofed the DHL International courier service, Canada’s and Mexico’s Government eProcurement services, Peru’s Public Procurement Centre, China’s SF-Express courier service and Ministry of Transport, Japan’s Ministry of Economy, Trade and Industry, Singapore’s Ministry of Industry and Trade, Malaysia’s Ministry of International Trade and Industry, Australia’s Government eProcurement Portal, Sweden’s Government Offices National Public Procurement Agency, Poland’s  Trade and Investment Agency, and South Africa’s Government Procurement Service. 

“The focus on these services suggests the attacker is interested in those organizations (private and public) that may be a potential contractor or supplier for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question,” Anomali says. 

The security firm also points out that protection against such campaigns is usually difficult, unless the domains hosting the phishing pages are known as being malicious (otherwise firewalls won’t block them). Although the sites were not active during analysis, Anomali believes that the targeting of these services will continue in the future.

“Phishing works. People are vulnerable and often do the wrong thing for the right reasons. This is why organizations assess risks and try to prevent all that is possible in line with their assessments and where that isn’t possible they have to be able to detect threats inside the organization in the minimum amount of time. That’s often easier said than done and the drive to reduce the time to detect is critical,” Anton Grashion, EMEA director at Corelight, told SecurityWeek in an emailed comment.

Related: Europol on Methodology Behind Successful Spear Phishing Attacks

Related: Don’t Take the Bait: A Look at the Latest Phishing Trends