Researchers discovered a phishing campaign which attackers designed to harvest login credentials from government procurement services.

According to Anomali Labs, malicious actors crafted their campaign to target various services used by public and private entities to match buyers and sellers of government services.

They did so by directing recipients of specially crafted phishing emails to view an attached lure document. Each of those lure documents incorporated the language of the country hosting a targeted government organization.They also included an embedded link that ultimately redirected recipients to the spoofed websites for various government agencies, email service providers and courier services.

Researchers found that each of the fake websites contained a Domain Validation (DV) certification issued by “cPanel, Inc.” and that their subdomains used a bidding theme to target organizations. As Anomali Labs described in its research:

In the webpages there are clear emblems and labels detailing which organisation the attacker is attempting to mimic. The attackers have used legitimate domains as well as their own infrastructure. The webpage for the U.S. Department of Energy was hosted on “[.]best/auth/login.html” and redirected from the URL: “[.]com”. The redirect URL is based on a legitimate domain “newnepaltreks[.]com” which is likely to have been compromised in order to facilitate this attack.

Credential harvesting sites observed in this campaign. (Source: Anomali Labs)

Following its initial discovery of “server-bidsync[.]best,” Anomali Labs identified a research hash that led it to unearth 14 other domains hosting similar phishing sites. It then used the naming conventions of those sites as pivot points to detect even more phishing resources.

Researchers discovered a total of 62 domains and 122 phishing sites.

Overall, the campaign spoofed more than 20 organizations including the U.S. Department of Energy, (Read more...)