Multiple government procurement services were targeted by a credential harvesting campaign that uses bogus pages to steal login credentials. Cybersecurity company Anomali uncovered a campaign that used 62 domains and around 122 phishing sites in its operations and targeted 12 countries, including the United States, Canada, Japan, and Poland.
The use of bogus login pages continues to be a popular method for credential harvesting campaigns. The Trend Micro™ Cloud App Security™ solution blocked 2.4 million attacks of this type in 2019 1H — a 59% increase from 1.5 million in 2018 2H.
How the campaign operates
For this campaign, threat actors used phishing emails carrying documents written in the language of the country being targeted. The phishing emails were also found with URLs to fake but legitimate-looking login pages. These URLS were primarily hosted on the following IP addresses: 31[.]210[.]96[.]221, 193[.]29[.]187[.]173, 91[.]235[.]116[.]146, 188[.]241[.]58[.]170.
If the recipient of the phishing email clicks on the malicious URL, they will be redirected to a login page that is an imitation of a legitimate website the campaign is spoofing. A login attempt will then lead to the theft of the user’s credentials.
Aside from the websites of international government departments, those belonging to email services and two courier services were also spoofed by the threat actors. The U.S. Department of Energy, Canada’s Government eProcurement service, China’s SF-Express courier service, and Australia’s Government eProcurement Portal were some of the target organizations.
[Read: Machine learning use in email security solutions that block credential phishing attacks]
Email users should always be aware of the latest phishing tactics in order to avoid falling victim to credential harvesting attacks. After all, such attacks are becoming highly deceptive; in fact, it has become relatively easy for cybercriminals to obtain a .gov domain that they can use to further disguise their schemes.
To minimize the chance of becoming a victim, users can follow these best practices in identifying phishing attacks:
- Be cautious of emails from individuals or organizations that ask for personal information. Most companies will not ask for sensitive data from its customers, especially with stricter data privacy laws.
- Look out for grammatical errors and spelling mistakes in suspicious emails. Emails from legitimate companies are often proofread to ensure that the materials they send out are error-free.
- Emails that call on a sense of urgency or have an alarmist tone should not be hastily acted on. If in doubt, recipients should verify the status of their accounts with their company’s system administrator or service provider.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.
- Ransomware Spotlight: Trigona
- Steering Clear of Security Blind Spots: What SOCs Need to Know
- Understanding the Kubernetes Security Triad: Image Scanning, Admission Controllers, and Runtime Security
- Preempting Threats to Connected Cars: The Importance of Cybersecurity in a Data-Driven Automotive Ecosystem
- Your Stolen Data for Sale