News Insights: Anomali Threat Research Team Identifies Widespread Credential Theft Campaign Aimed at U.S. and International Government Agency Procurement Services

New research has identified numerous phishing sites designed to steal credentials from victims at 22 government procurement services agencies and several private businesses. Targeted organizations in the United States included the U.S. Department of Energy, U.S. Department of Commerce, U.S. Department of Veterans Affairs, U.S. Department of Transportation, and the U.S. Department of Housing and Urban Affairs. Private enterprises targeted included DHL International and China-based SF-Express.

News Insights:

Colin Bastable, CEO of security awareness training company Lucy Security, commented:

 “State and local governments are badly exposed to the risks of ransomware and CEO/BEC (Business Email Compromise) attacks. At Lucy Security, in client meetings we consistently find that around 30 percent of spoof emails are delivered to the email inboxes of local government staff. The problem with relying on technical defenses like firewalls and DMARC alone is that the attackers only need to get lucky once. Defenses need to be 100 percent effective, 100 percent of the time. That is never going to happen. You can patch systems, but the bad guys always find new vulnerabilities. Up to 30 percent of untrained staff are highly susceptible to the attacks that do succeed. Just like technical defenses, staff can be “patched” to reduce their vulnerabilities to phishing attacks, by training them in a holistic, integrated way. Treat people and systems as parts of the whole.  A holistic approach to cybersecurity is essential – deploy technical defenses and “patch” your staff to significantly protect assets through defense in depth.”

James McQuiggan, Security Awareness Advocate, KnowBe4:

“Criminal hackers are evolving their phishing emails to make them extremely convincing to the end user and with a spear phishing email, it’s targeted for that particular user. Criminals will use typosquatting to create a similar website with a transposed character to make it easier for people to fall victim to these types of attacks when they hover over the link in the email.Organizations with a strong and robust security awareness program can provide training for employees to be aware of these types of phishing and spear phishing emails. The training can additionally educate the users to be aware of social engineering and to verify any websites before they click on the link.”