Security researchers have uncovered a series of phishing campaigns mimicking government agencies, which are being sent to contractors and businesses.
The campaigns themselves, which are “more convincing [and] more evasive” than ever before, are a continuation of a campaign that started way back in 2019, and continued during 2021 — but now, more agencies are being spoofed.
Password managers — which facilitate the creation of a different password for each account you own without you having to remember them all — greatly minimize the damage credential phishing can do.
Phishing Campaign Impersonates US Government
Researchers at Cofense have spotted a phishing campaign in which the threat actors masquerade as the Department of Labor, Transportation, or Commerce.
Largely targeting firms that bid on government contracts — which constitutes a wide range of companies across several sectors of the economy — the goal is to steal Microsoft 365 credentials.
The emails include detailed PDFs that Cofense says are shorter and more customized than previous iterations of a long-standing campaign.
Overall formatting of the documents is more consistent than observed previously, the phishing protection specialists noted, which is concerning considering inconsistencies of this kind are often one of the clearest signs an email like this isn't genuine.
Initially only impersonating the Department of Labor, Cofense say that the phishing campaign has “evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.”
Clever tactics to fool even the most threat-savvy of employees include using HTTPS for the malicious domain users are redirected to, which ensures that a green padlock appears in the address bar (Image Credit: Cofense).
Other techniques include asking victims to verify they're human via CAPTCHA, redirection to the legitimate government department pages after credential exfiltration, and official-looking watermarks on PDFs.
How Password Managers Minimize Credential Phishing Impact
If you’re not using software like a password manager, then there's a good chance you're reusing passwords from account to account. You wouldn’t be alone either, with plenty of people reusing their favorite passwords across business and personal accounts.
In this case, if your Microsoft 365 password was not unique, a hacker would have access to not just your Microsoft 365 account, but all other accounts you used that password with.
They’d be able to log into other employee accounts you own — perhaps to a project management software app, or your company’s CRM system — as well as any personal accounts with those credentials in use, which could lead to the theft and subsequent misuse of even more of your information.
Storing all of your passwords in one place means you only have to remember one pass key for your password manager account, so each one will be completely unique, greatly minimizing the threat of such an attack.
Password managers protect you from a range of other cyber threats too. These include credential stuffing (using stolen credentials from one account to hack into other accounts a victim owns) and brute-forcing (running a script that bombards a login page with commonly used passwords, in the hope one is in use), both of which rely on weak or unsecured account credentials to work.
With threats getting ever-more sophisticated, equipping yourself with tech like this is the least you can do.