Security Experts:

Connect with us

Hi, what are you looking for?



Credential Harvesting Campaign Targets Government Procurement Services

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

credential harvesting campaign has been targeting multiple government procurement services in the United States and abroad, Anomali reveals. 

Multiple public and private sector organizations use procurement services targeted in this campaign, which spoofed sites for multiple international government departments, email services, and two courier services. 

The attackers sent phishing emails to trick intended victims into accessing spoof phishing sites that masqueraded as legitimate login pages relevant to government agencies. 

Anomali published an extensive report (PDF) detailing the campaign, but refrains from making an attribution. However, the cybersecurity solutions provider says that the attack appears to be persistent, although dormant at the moment, and that the phishing site domains are hosted in Turkey and Romania. 

Lure documents sent via email were likely written in native languages, except for the document used in South Africa, which is in English. 

Anomali’s security researchers discovered a total of 62 domains and approximately 122 phishing sites. The sites use Domain Validation (DV) certificates issued by “cPanel, Inc,” with subdomains that contain a secure, verification, bidding or delivery theme. 

Spoofed organizations included the United States Department of Energy, Department of Commerce, Department of Veterans Affairs, New Jersey House and Mortgage Finance Agency, Maryland Government Procurement Services, Florida Department of Managed Services, Department of Transportation, and Department of Housing and Urban Development. 

The attackers also spoofed the DHL International courier service, Canada’s and Mexico’s Government eProcurement services, Peru’s Public Procurement Centre, China’s SF-Express courier service and Ministry of Transport, Japan’s Ministry of Economy, Trade and Industry, Singapore’s Ministry of Industry and Trade, Malaysia’s Ministry of International Trade and Industry, Australia’s Government eProcurement Portal, Sweden’s Government Offices National Public Procurement Agency, Poland’s  Trade and Investment Agency, and South Africa’s Government Procurement Service. 

“The focus on these services suggests the attacker is interested in those organizations (private and public) that may be a potential contractor or supplier for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long term insight regarding the trust relationship between the potential supplier and the government in question,” Anomali says. 

The security firm also points out that protection against such campaigns is usually difficult, unless the domains hosting the phishing pages are known as being malicious (otherwise firewalls won’t block them). Although the sites were not active during analysis, Anomali believes that the targeting of these services will continue in the future.

“Phishing works. People are vulnerable and often do the wrong thing for the right reasons. This is why organizations assess risks and try to prevent all that is possible in line with their assessments and where that isn’t possible they have to be able to detect threats inside the organization in the minimum amount of time. That’s often easier said than done and the drive to reduce the time to detect is critical,” Anton Grashion, EMEA director at Corelight, told SecurityWeek in an emailed comment.

Related: Europol on Methodology Behind Successful Spear Phishing Attacks

Related: Don’t Take the Bait: A Look at the Latest Phishing Trends

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.