Overview
The Anomali Threat Research Team identified a credential harvesting campaign designed to steal login details from multiple government procurement services. The procurement services are used by many public and private sector organisations to match buyers and suppliers. In this campaign, attackers spoofed sites for multiple international government departments, email services and two courier services. Lure documents sent via phishing emails were found to contain links to spoof phishing sites masquerading as legitimate login pages relevant to the spoofed government agencies. Victims duped into following the phishing email link would then be invited to login. Anyone who fell victim to the adversaries would have provided them with their credentials.
Spoofed Organisations
United States - U.S. Department of Energy
United States - U.S. Department of Commerce
United States - U.S. Department of Veteran Affairs
United States - New Jersey House and Mortgage Finance Agency
United States - Maryland Government Procurement Services
United States - Florida Department of Managed Services
United States - Department of Transport
United States - Department of Housing and Urban Development
DHL International courier service
Canada - Government eProcurement service
Mexico - Government eProcurement services
Peru - Public Procurement Centre
China - SF-Express courier service
China - Ministry of Transport
Japan - Ministry of Economy, Trade and Industry
Singapore - Ministry of Industry and Trade
Malaysia - Ministry of International Trade and Industry
Australia - Government eProcurement Portal
Sweden - Government Offices National Public Procurement Agency
Poland - Trade and Investment Agency
South Africa - Government Procurement Service
At present, it is not clear who the threat actors are but it does appear to be a persistent attack. Spoofed phishing site domains are hosted in Turkey and Romania. The campaign is currently dormant.
Support the originator by clicking the read the rest link below.
