Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Credential Harvesting Campaign Targets Government Procurement Services

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

Multiple public and private sector organizations use procurement services targeted in this campaign, which spoofed sites for multiple international government departments, email services, and two courier services. 

The attackers sent phishing emails to trick intended victims into accessing spoof phishing sites that masqueraded as legitimate login pages relevant to government agencies. 

Anomali published an extensive report (PDF) detailing the campaign, but refrains from making an attribution. However, the cybersecurity solutions provider says that the attack appears to be persistent, although dormant at the moment, and that the phishing site domains are hosted in Turkey and Romania. 

Lure documents sent via email were likely written in native languages, except for the document used in South Africa, which is in English. 

Anomali’s security researchers discovered a total of 62 domains and approximately 122 phishing sites. The sites use Domain Validation (DV) certificates issued by “cPanel, Inc,” with subdomains that contain a secure, verification, bidding or delivery theme. 

Spoofed organizations included the United States Department of Energy, Department of Commerce, Department of Veterans Affairs, New Jersey House and Mortgage Finance Agency, Maryland Government Procurement Services, Florida Department of Managed Services, Department of Transportation, and Department of Housing and Urban Development. 

The attackers also spoofed the DHL International courier service, Canada’s and Mexico’s Government eProcurement services, Peru’s Public Procurement Centre, China’s SF-Express courier service and Ministry of Transport, Japan’s Ministry of Economy, Trade and Industry, Singapore’s Ministry of Industry and Trade, Malaysia’s Ministry of International Trade and Industry, Australia’s Government eProcurement Portal, Sweden’s Government Offices National Public Procurement Agency, Poland’s  Trade and Investment Agency, and South Africa’s Government Procurement Service. 

Advertisement. Scroll to continue reading.

“The focus on these services suggests the attacker is interested in those organizations (private and public) that may be a potential contractor or supplier for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question,” Anomali says. 

The security firm also points out that protection against such campaigns is usually difficult, unless the domains hosting the phishing pages are known as being malicious (otherwise firewalls won’t block them). Although the sites were not active during analysis, Anomali believes that the targeting of these services will continue in the future.

“Phishing works. People are vulnerable and often do the wrong thing for the right reasons. This is why organizations assess risks and try to prevent all that is possible in line with their assessments and where that isn’t possible they have to be able to detect threats inside the organization in the minimum amount of time. That’s often easier said than done and the drive to reduce the time to detect is critical,” Anton Grashion, EMEA director at Corelight, told SecurityWeek in an emailed comment.

Related: Europol on Methodology Behind Successful Spear Phishing Attacks

Related: Don’t Take the Bait: A Look at the Latest Phishing Trends

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights