Credential Harvesting Campaign Targets Government Procurement Sites Worldwide

Multiple government procurement services were targeted by a credential harvesting campaign that uses bogus pages to steal login credentials. Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted 12 countries, including the United States, Canada, Japan, and Poland.

The use of bogus login pages continues to be a popular method for credential harvesting campaigns. The Trend Micro™ Cloud App Security™ solution blocked 2.4 million attacks of this type in 2019 1H — a 59% increase from 1.5 million in 2018 2H.

How the campaign operates

For this campaign, threat actors used phishing emails carrying documents written in the language of the country being targeted. The phishing emails were also found with URLs to fake but legitimate-looking login pages. These URLS were primarily hosted on the following IP addresses: 31[.]210[.]96[.]221, 193[.]29[.]187[.]173, 91[.]235[.]116[.]146, 188[.]241[.]58[.]170.

If the recipient of the phishing email clicks on the malicious URL, they will be redirected to a login page that is an imitation of a legitimate website the campaign is spoofing. A login attempt will then lead to the theft of the user’s credentials.

Aside from the websites of international government departments, those belonging to email services and two courier services were also spoofed by the threat actors. The U.S. Department of Energy, Canada’s Government eProcurement service, China’s SF-Express courier service, and Australia’s Government eProcurement Portal were some of the target organizations.

[Read: Machine learning use in email security solutions that block credential phishing attacks]  

Security recommendations

Email users should always be aware of the latest phishing tactics in order to avoid falling victim to credential harvesting attacks. After all, such attacks are becoming highly deceptive; in fact, it has become relatively easy for cybercriminals to obtain a .gov domain that they can use to further disguise their schemes.

To minimize the chance of becoming a victim, users can follow these best practices in identifying phishing attacks:

  • Be cautious of emails from individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers, especially with stricter data privacy laws.
  • Look out for grammatical errors and spelling mistakes in suspicious emails. Emails from legitimate companies are often proofread to ensure that the materials they send out are error-free.
  • Emails that call on a sense of urgency or have an alarmist tone should not be hastily acted on. If in doubt, recipients should verify the status of their accounts with their company’s system administrator or service provider.
Organizations should look into adopting advanced technologies such as the Trend Micro Cloud App Security solution. It combines artificial intelligence (AI) and computer vision in order to help detect and block attempts at credential harvesting in real time. After suspected phishing emails go through sender, content, and URL reputation analyses, computer vision technology and AI will examine the remaining URLs to check if a legitimate login page’s branded elements, login form, and other website components are being spoofed.

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.