June 12, 2019

Government Impersonator Targeting Small Businesses

How Lookout Detects and Protects Against Phishing Threats

When phishing domains get reported, they get taken down—however, no other phishing detection tools are correlating repeated characteristics of a malicious actor. However, Lookout Phishing AI is able to correlate data with thousands of automated investigations that are performed every day to build profiles of phishing campaigns. In the case of this campaign, we know that the domains have been used as command and control (CC) servers for Windows malware, phishing web sites and contain multiple confirmed Microsoft credential phishing kits.

Key Facts

  • Targets smaller businesses by impersonating local government websites
  • The same actor has registered over 200 domains with the same email address since 2015
  • Tricks victim into entering PII on sites such as false vendor registration pages

Background and Discovery Timeline

Lookout Phishing AI detected a phishing campaign impersonating local government websites, including the City of San Mateo, City of Tampa, and Dallas County. While the actor behind this phishing campaign has been active for four years, they have recently evolved to target small and medium businesses (SMBs) with uncommon techniques, such as impersonating local governments.

SMBs have become an easy target for attackers since a growing business may feel they do not have the time or resources to devote to cybersecurity. In fact, according to the 2019 Verizon DBIR, almost half of cybersecurity breaches involve small businesses. A breach of any kind can be devastating for an organization, but for many small business owners, it can put them out of business.

Capabilities and Affected Parties

The threat actor has registered more than 200 domains with the same email address since 2015 and is now averaging about seven to ten per week. And recently, the actor has created a series of fake local government websites, impersonating the likes of Dallas County, Polk County, the City of San Mateo, the City of Tampa, and the City of North Las Vegas. These phishing sites were a near-perfect mirror of the legitimate sites, but the phishing sites included a “Vendor Registration Form” designed to steal PII and account credentials. The sites leveraged the authority of these local governments to entice their targets with bid solicitations, requiring its victims to provide their name, phone number, address, and SSN/EIN. After entering this information, the victim is directed to a credential phishing kit. This is typically done with a pretext to access a document.



Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Threat Type
Entry Type
Threat Guidances
Platform(s) Affected
Threat Guidances

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.