New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Phishing Email Campaign Impersonates Government Pandemic Relief Agencies

A newly found phishing email campaign is impersonating U.S. government agencies that offer federal assistance for COVID-19 financial relief. The primary purpose of these new attacks is to harvest personal information or passwords from victims that could lead to identity theft and account takeover attempts. One of the messages was found by Inky, an email protection company, which reports that cybercriminals are luring victims with a false governmental program that offers up to $5,800 in cash payments. The link to the program appeared suspicious and lead to a “hijacked domain that impersonates the U.S. federal government” according to Inky. A form on the malicious site requires the victim’s date of birth and full name before being able to access another form that asks for additional information including the victim’s social security number, driver’s license number, full address, phone number, and email address. If the victim fills out the form, they are left with a message that promises to contact them “as soon as possible.” Another phishing email claims to be the Pandemic Unemployment Assistance (PUA) program which is managed by each state. The first suspicious indicator is that the email claims to be from the federal government instead of the individual state agency. Just like the first email, the initial link leads to a compromised domain. This email requests a victim’s username and password before it redirects the user to the legitimate relief program website.

Analyst Notes

Both of these emails and so many like them are being tailored to the worries of the general public. When emails have been received that claim to be a governmental agency, one way to check the authenticity of the email is to check the sender’s email address, if it does not contain a [.]gov extension, then it should be immediately treated with suspension. Some phishing email actually spoofs the sender’s address and appears to be from a real .gov email address, and the only way to see that it was not sent from a government email system is to carefully examine the email headers, which is beyond the scope of what most people have the time or ability to do. If a person does want to check on the program that is being offered, the recipient should search the program in a web browser and go to the governmental site directly, not through a link contained in an email. The same can be said for emails that claim to be businesses. Try to not use the link from any email, but instead go directly to the company’s website.

Source Article: