Lookout Phishing AI has detected a phishing campaign impersonating local government websites, including the City of San Mateo, City of Tampa, and Dallas County. While the actor behind this phishing campaign has been active for four years, they have recently evolved to target small and medium businesses (SMBs) with uncommon techniques, such as impersonating local governments.
SMBs have become an easy target for attackers since a growing business may feel they do not have the time or resources to devote to cybersecurity. In fact, according to the 2019 Verizon DBIR, almost half of cybersecurity breaches involve small businesses. A breach of any kind can be devastating for an organization, but for many small business owners, it can put them out of business.
Figure 1: A local government phishing page impersonating the City of San Mateo
The threat actor has registered more than 200 domains with the same email address since 2015, and is now averaging about seven to ten per week. And recently, the actor has created a series of fake local government websites, impersonating the likes of Dallas County, Polk County, the City of San Mateo, the City of Tampa, and the City of North Las Vegas. These phishing sites were a near-perfect mirror of the legitimate sites, but the phishing sites included a “Vendor Registration Form” designed to steal PII and account credentials. The sites leveraged the authority of these local governments to entice their targets with bid solicitations, requiring its victims to provide their name, phone number, address, and SSN/EIN. After entering this information the victim is directed to a credential phishing kit. This is typically done with a pretext to access a document.
Figure 2: A local government phishing page created for Polk County
Figure 3: Completed forms redirect to a Microsoft phishing site
When phishing domains get reported, they get taken down-- but for the most part, there is no one correlating the repeated use of the same email account. However, Lookout Phishing AI is able to correlate data with thousands of automated investigations that are performed every day to build profiles of phishing campaigns. In the case of this campaign, we know that the domains have been used as command and control (CC) servers for Windows malware, phishing web sites and contain multiple confirmed Microsoft credential phishing kits.
Generally, phishing campaigns impersonate well-known brands, such as Microsoft, Amazon, and so forth because their trustworthiness lends credibility to the attack. Yet, impersonating a local government also lends a lot of credibility to phishing attacks--especially since its targets may be unfamiliar with the local government sites.
This phishing campaign’s evolution shows how important it is to realize that phishing attempts come in all shapes and sizes. Just as the rise of mobile phishing reveals that we cannot be singularly focused on email phishing, we must also realize the danger of localized phishing attacks on small and medium sized businesses.
September 15, 2023
Scattered Spider, aka UNC3944, was able to successfully target and gain access to the infrastructure of Caesars Entertainment in its latest campaign
July 19, 2023
January 3, 2023