Researchers from Anomali discovered a new, mysterious phishing campaign that attempts to the steal login credentials from government departments from around the world. In total, the attacks have targeted at least 22 different organizations across North America, Europe and Asia.
The attacks consist of emails pretending to be related to the targeted government agencies and attempts to trick victims into clicking an email link that directs them to authentic-looking, spoofed government agency websites, prompting the victims to input their username and password. The country that has seen the highest volume of these attacks is the United States with the U.S. Department of Energy, U.S. Department of Commerce and U.S. Department of Veterans Affairs being among those targeted.
It’s currently unclear who is behind the attacks or what their primary goals are.
Phishing works. People are vulnerable and often do the wrong thing for the right reasons. This is why organisations assess risks and try to prevent all that is possible in line with their assessments and where that isn\’t possible they have to be able to detect threats inside the organisation in the minimum amount of time. That\’s often easier said than done and the drive to reduce the time to detect is critical.
Phishing is a favoured technique of organised criminals and state-sponsored actors due to its high rate of success. The fact that this particular attack has gone to many government departments would indicate a targeted campaign.
Government departments should remain vigilant, especially around the holiday period where many staff are on vacation so any intrusion may go undetected for longer.
Security awareness and training is fundamental in defending organisations against such phishing attacks. From a technical perspective, if these government departments haven\’t implemented MFA, they should consider doing so as a priority as it can help protect accounts even if the password has been compromised.
Criminal hackers are evolving their phishing emails to make them extremely convincing to the end user and with a spear phishing email, it\’s targeted for that particular user. Criminals will use typosquatting to create a similar website with a transposed character to make it easier for people to fall victim to these types of attacks when they hover over the link in the email.
Organizations with a strong and robust security awareness program can provide training for employees to be aware of these types of phishing and spear phishing emails. The training can additionally educate the users to be aware of social engineering and to verify any websites before they click on the link.
State and local governments are badly exposed to the risks of ransomware and CEO/BEC (Business Email Compromise) attacks. At Lucy Security, in client meetings we consistently find that around 30 percent of spoof emails are delivered to the email inboxes of local government staff. The problem with relying on technical defenses like firewalls and DMARC alone is that the attackers only need to get lucky once. Defenses need to be 100 percent effective, 100 percent of the time. That is never going to happen. You can patch systems, but the bad guys always find new vulnerabilities.
Up to 30 percent of untrained staff are highly susceptible to the attacks that do succeed. Just like technical defenses, staff can be “patched” to reduce their vulnerabilities to phishing attacks, by training them in a holistic, integrated way. Treat people and systems as parts of the whole.
A holistic approach to cybersecurity is essential – deploy technical defenses and “patch” your staff to significantly protect assets through defense in depth.
This new global phishing campaign targeting government departments is a prime example of how sophisticated and convincing cybercrime tactics have become, especially phishing attacks. There is a common misconception that phishing emails are easy to identify, because they’ll contain spelling and grammar errors and are clearly not coming from anyone the recipient knows. The truth is, cybercriminals have become extremely adept at crafting emails that are indistinguishable from legitimate emails that recipients receive every day. In this particular instance, the hackers are using advanced impersonation techniques (used in over 80 percent of spear-phishing emails) and even writing emails in the targets’ native language, all with the aim of driving victims to spoofed websites that will steal the victims’ login credentials.
To stop attacks like this, the first essential step is to prevent malicious emails from ever entering inboxes. Most email defenses will focus on the content of the messages and the links they contain, but given the rapidly evolving attacks techniques, content-centric systems don’t always catch the bad guys. Therefore, it’s imperative for companies to implement known best practices to proactively defend their inboxes, such as properly enforcing DMARC, a widely-accepted open standard that ensures only authorized senders can use your domain in the From: field of their email messages, and deploying modern anti-phishing solutions that validate senders’ identities.