The hackers TA4903 impersonate various US government entities, in the context of BEC attacks, and try to convince the targets to maliciously open Archives with links to fake tendering procedures.
The analysts of the Proofpoint identified the malicious campaign and noticed that the hackers play the role of US Department of Transportation, the US Department of Agriculture (USDA) and the US Small Business Administration (SBA).
TA4903 hackers have been active since at least 2019, but they started to increase the attacks from mid-2023. The latest tactic seen is the use of QR codes in PDF attachments.
See also: What has happened with Asimakopoulou and the emails?
The files PDF are about something related to the entity the hackers are impersonating, but they are all similar. They also all have the same metadata, including an author name that indicates Nigerian ancestry.
The recipients who scan them QR codes are redirected to phishing websites that look like official portals from fake US government agencies.
Depending on the lure in the phishing emails, recipients may be redirected to the O365 login pages, where they are asked to enter the credentials their.
According to Proofpoint, the TA4903 hackers have clearly financial incentives and follow the following tactics:
- Gaining unauthorised access to corporate networks; or accounts email.
- Search within compromised accounts for keywords related to banking information.
- Conducting BEC attacks by sending email from the compromised account to other employees or partners.
See also: Phishing emails: warning signs and protection tips
In the initial 2023 attacks, the TA4903 hackers warned of alleged cyber attacks, to fool the finance department staff into updating the payment details.
These messages were delivered by compromised email accounts of the target's partner organisations or addresses that looked a lot like them.
TA4903 hackers with BEC attacks pose a significant threat to organizations around the world, although most targets are located in the US.
According to Proofpoint, TA4903 hackers are registering domain names that look like government entities and private Organisations in various sectors. Recently, however, they have also been imitated by small businesses.
See also: Operation Texonto: Russian hackers target Ukrainians with war-related emails
Hackers TA4903 – BEC attacks: Protection
In order to protect an organisation from BEC attacks, it is necessary to Application a range of strategies. First, the training of officials is critical. Employees need to be aware of the nature of BEC attacks and how to recognize the signs of a potential attack.
Second, the implementation of email security policies is another important way of protection. This can include the use of tools that check incoming emails for signs of fraud, such as identifying strange email addresses.
Third, the application of double-checking for significant transactions can be very useful. TA4903 hackers request the transfer of money but important transactions must be confirmed through independent channels, for example, email and phone.
Finally, the use of advanced solutions Security IT can help protect against BEC attacks. This may include use of software that detects and repels BEC attacks, as well as the implementation of policies that restrict access to sensitive information.
Source : www.bleepingcomputer.com