iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Hackers have been observed impersonating US government agencies as part of a business email compromise (BEC) campaign aiming to trick victims into clicking links to malicious files and handing over credentials.
The threat group, tracked as TA4903 by enterprise cyber security firm Proofpoint, has previously been seen using this attack strategy, having been active since 2019.
Proofpoint said the group’s motivations are purely financial and that it specialises in conducting BEC attacks, gaining access to email accounts or corporate networks through credential theft, and then searching through those accounts for financial details. Its targets are typically US companies with high-volume email campaigns.
Its operations have reportedly increased since mid-2023 and continually throughout this year.
TA4903 has been observed impersonating US government entities since December 2021, having impersonated the US Department of Labor. Since then, the group has impersonated the US Department of Housing and Urban Development, the US Department of Transportation, the US Department of Commerce and most recently, the US Department of Agriculture.
The group’s most recent attacks have seen it attach QR codes in PDFs attached to emails, with the PDF documents being fake organisation documents that follow the same design theme. They are reportedly identifiable, however, with a common design and the same data.
“In these campaigns, the PDF attachments are typically multiple pages long and have both embedded URLs and QR codes that lead to government-branded phishing websites,” wrote Proofpoint.
Proofpoint has noted that the author’s name on the documents is consistent, and it suggests the threat actor is based in Nigeria.
The attached QR codes lead to portals “spoofing US government entities, typically using bid proposal lures”, according to Proofpoint.
It is currently unknown whether anyone has fallen for the latest BEC campaign, but as individuals are likely to receive emails from government entities and political parties ahead of the upcoming election, the timing of the campaign makes it increasingly dangerous.
Proofpoint has previously observed TA4903 launching similar campaigns under other disguises, such as an instance first appearing in 2023 where the group impersonated a company that had suffered a cyber attack and emailed staff in the financial department requesting updated financial information.
“We take the security and privacy of our clients very seriously and have already taken appropriate measures to contain the situation and mitigate the impact,” the fake email read.
“However, in order to ensure the safety of our financial transactions, we need to update our banking information immediately.
“Could you kindly provide me with information on who is responsible for updating banking information within your organisation?”
Be the first to hear the latest developments in the cyber industry.
