Powered by MOMENTUM MEDIA
cyber daily logo
Breaking news and updates daily. Subscribe to our Newsletter

BEC campaign sees hackers impersonating US government agencies

Hackers have been observed impersonating US government agencies as part of a business email compromise (BEC) campaign aiming to trick victims into clicking links to malicious files and handing over credentials.

user icon Daniel Croft
Thu, 07 Mar 2024
BEC campaign sees hackers impersonating US government agencies
expand image

The threat group, tracked as TA4903 by enterprise cyber security firm Proofpoint, has previously been seen using this attack strategy, having been active since 2019.

Proofpoint said the group’s motivations are purely financial and that it specialises in conducting BEC attacks, gaining access to email accounts or corporate networks through credential theft, and then searching through those accounts for financial details. Its targets are typically US companies with high-volume email campaigns.

Its operations have reportedly increased since mid-2023 and continually throughout this year.

============
============

TA4903 has been observed impersonating US government entities since December 2021, having impersonated the US Department of Labor. Since then, the group has impersonated the US Department of Housing and Urban Development, the US Department of Transportation, the US Department of Commerce and most recently, the US Department of Agriculture.

The group’s most recent attacks have seen it attach QR codes in PDFs attached to emails, with the PDF documents being fake organisation documents that follow the same design theme. They are reportedly identifiable, however, with a common design and the same data.

“In these campaigns, the PDF attachments are typically multiple pages long and have both embedded URLs and QR codes that lead to government-branded phishing websites,” wrote Proofpoint.

Proofpoint has noted that the author’s name on the documents is consistent, and it suggests the threat actor is based in Nigeria.

The attached QR codes lead to portals “spoofing US government entities, typically using bid proposal lures”, according to Proofpoint.

It is currently unknown whether anyone has fallen for the latest BEC campaign, but as individuals are likely to receive emails from government entities and political parties ahead of the upcoming election, the timing of the campaign makes it increasingly dangerous.

Proofpoint has previously observed TA4903 launching similar campaigns under other disguises, such as an instance first appearing in 2023 where the group impersonated a company that had suffered a cyber attack and emailed staff in the financial department requesting updated financial information.

“We take the security and privacy of our clients very seriously and have already taken appropriate measures to contain the situation and mitigate the impact,” the fake email read.

“However, in order to ensure the safety of our financial transactions, we need to update our banking information immediately.

“Could you kindly provide me with information on who is responsible for updating banking information within your organisation?”

Daniel Croft

Daniel Croft

Born in the heart of Western Sydney, Daniel Croft is a passionate journalist with an understanding for and experience writing in the technology space. Having studied at Macquarie University, he joined Momentum Media in 2022, writing across a number of publications including Australian Aviation, Cyber Security Connect and Defence Connect. Outside of writing, Daniel has a keen interest in music, and spends his time playing in bands around Sydney.

newsletter
cyber daily subscribe
Be the first to hear the latest developments in the cyber industry.