Security Experts:

Connect with us

Hi, what are you looking for?



Credential Harvesting Campaign Targets Government Procurement Services

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

Multiple public and private sector organizations use procurement services targeted in this campaign, which spoofed sites for multiple international government departments, email services, and two courier services. 

The attackers sent phishing emails to trick intended victims into accessing spoof phishing sites that masqueraded as legitimate login pages relevant to government agencies. 

Anomali published an extensive report (PDF) detailing the campaign, but refrains from making an attribution. However, the cybersecurity solutions provider says that the attack appears to be persistent, although dormant at the moment, and that the phishing site domains are hosted in Turkey and Romania. 

Lure documents sent via email were likely written in native languages, except for the document used in South Africa, which is in English. 

Anomali’s security researchers discovered a total of 62 domains and approximately 122 phishing sites. The sites use Domain Validation (DV) certificates issued by “cPanel, Inc,” with subdomains that contain a secure, verification, bidding or delivery theme. 

Spoofed organizations included the United States Department of Energy, Department of Commerce, Department of Veterans Affairs, New Jersey House and Mortgage Finance Agency, Maryland Government Procurement Services, Florida Department of Managed Services, Department of Transportation, and Department of Housing and Urban Development. 

The attackers also spoofed the DHL International courier service, Canada’s and Mexico’s Government eProcurement services, Peru’s Public Procurement Centre, China’s SF-Express courier service and Ministry of Transport, Japan’s Ministry of Economy, Trade and Industry, Singapore’s Ministry of Industry and Trade, Malaysia’s Ministry of International Trade and Industry, Australia’s Government eProcurement Portal, Sweden’s Government Offices National Public Procurement Agency, Poland’s  Trade and Investment Agency, and South Africa’s Government Procurement Service. 

“The focus on these services suggests the attacker is interested in those organizations (private and public) that may be a potential contractor or supplier for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question,” Anomali says. 

The security firm also points out that protection against such campaigns is usually difficult, unless the domains hosting the phishing pages are known as being malicious (otherwise firewalls won’t block them). Although the sites were not active during analysis, Anomali believes that the targeting of these services will continue in the future.

“Phishing works. People are vulnerable and often do the wrong thing for the right reasons. This is why organizations assess risks and try to prevent all that is possible in line with their assessments and where that isn’t possible they have to be able to detect threats inside the organization in the minimum amount of time. That’s often easier said than done and the drive to reduce the time to detect is critical,” Anton Grashion, EMEA director at Corelight, told SecurityWeek in an emailed comment.

Related: Europol on Methodology Behind Successful Spear Phishing Attacks

Related: Don’t Take the Bait: A Look at the Latest Phishing Trends

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.