BEC campaign sees hackers impersonating US government agencies
Hackers have been observed impersonating US government agencies as part of a business email compromise (BEC) campaign aimed at tricking victims into clicking on links to malicious files and handing over credentials. .
The threat group, tracked as TA4903 by enterprise cybersecurity firm Proofpoint, has previously been seen using this attack strategy, having been active since 2019.
Proofpoint said the group’s motivations are purely financial and that it specializes in conducting BEC attacks, gaining access to email accounts or corporate networks by stealing credentials and then searching for financial details in those accounts. Their targets are typically US companies with high-volume email campaigns.
Its operations have reportedly increased since mid-2023 and continuously throughout this year.
TA4903 has been observed impersonating US government entities since December 2021, having impersonated the US Department of Labor. The group has since impersonated the Department of Housing and Development U.S. Department of Transportation, the U.S. Department of Commerce, and, most recently, the U.S. Department of Agriculture.
The group’s most recent attacks have seen it attach QR codes to PDF files attached to emails, with the PDF documents being fake organizational documents that follow the same design theme. They are said to be identifiable, however, with a common design and the same data.
“In these campaigns, the attached PDF files are often multiple pages long and have embedded URLs and QR codes that lead to government-branded phishing websites,” Proofpoint wrote.
Proofpoint has noted that the author’s name on the documents is consistent and suggests that the threat actor is based in Nigeria.
The attached QR codes lead to portals that “spoof US government entities, typically using bid proposal honeypots,” according to Proofpoint.
It is currently unknown if anyone has fallen for BEC’s latest campaign, but with people likely to receive emails from government entities and political parties ahead of the next election, the timing of the campaign makes it increasingly dangerous.
Proofpoint has previously observed TA4903 launching similar campaigns under other disguises, such as a case that first appeared in 2023, in which the group posed as a company that had suffered a cyberattack and sent an email to finance department staff. requesting updated financial information.
“We take the security and privacy of our customers very seriously and have already taken appropriate measures to contain the situation and mitigate the impact,” the fake email said.
“However, to ensure the security of our financial transactions, we need to update our banking information immediately.
“Could you please provide me with information on who is responsible for updating banking information within your organization?”