Scores of domains and over 120 phishing sites have been detected as part of a major global campaign targeting government procurement services, according to Anomali.
The security vendor said the credential harvesting campaign featured spoofed sites for multiple international government departments, email services and two courier services, plus the usual email-based social engineering techniques.
The attached documents in these phishing emails contained links to the spoofed sites masquerading as legitimate login pages.
The US was the most targeted government, with over 50 phishing sites set up to harvest credentials from visitors. However, Canada, Japan, Poland, China, Sweden, Mexico, Australia and Peru were all affected, among other countries.
In total, 62 domains and 122 phishing sites were detected by Anomali. Although none of these sites were active at the time of writing, Anomali warned that the group behind them could restart operations in the future.
“This credential harvesting campaign has been primarily targeting government bidding and procurement services. The focus on these services suggests the threat actor(s) are interested in potential contractor(s) and/or supplier(s) for those governments targeted. The purpose of this insight could be a financial incentive to out compete a rival bidder, or more long-term insight regarding the trust relationship between the potential supplier and the government in question,” explained the Anomali Threat Research Team.
“Campaigns like these are difficult to protect against because unless the domains hosting the phishing pages are known as malicious, an organization’s firewall will not know to block it. Legitimate sites were also hosting the phishing pages, and were likely compromised as part of the campaign.”
According to Microsoft, phishing attacks soared by 250% over 2018.