March 7, 2024 at 09:34AM
Since 2021, US organizations have faced phishing and BEC attacks from threat actor TA4903. Spoofing government and private businesses, the attacks aimed at obtaining corporate credentials for BEC activities. The threat actor registered new domains, spoofing various sectors. TA4903 targeted government departments and SMBs, using diverse phishing tactics and adopting new lure themes. Its BEC attacks involved accessing leaked credentials to perform fraudulent activities.
Based on the meeting notes, here are the key takeaways:
– Organizations in the US have been targeted by phishing and business email compromise (BEC) campaigns, with the threat actor tracked as TA4903.
– The attacks have focused on harvesting corporate credentials for activities such as invoice fraud and payroll redirect.
– TA4903 frequently registers new domains spoofing government entities and private organizations in various sectors.
– The threat actor has masqueraded as different departments such as the US Department of Labor, Departments of Housing and Urban Development, Commerce, Transportation, Agriculture, and the Small Business Administration.
– TA4903 started spoofing small and medium-sized businesses and increased the tempo of its BEC attacks in mid-2023.
– The threat actor historically used PDF attachments with bid proposal lures, and in late 2023, started using QR codes.
– TA4903 has diversified lure themes, using HTML attachments, zipped HTML attachments, and freemail addresses to deliver phishing messages.
– Starting mid-2023, TA4903 has been using lure themes referring to ‘cyberattack’ and ‘payment’ in its BEC attacks, and relying on domains likely spoofing the suppliers of victim organizations.
– Proofpoint observed TA4903 using purposely leaked credentials to access a dummy email account and search it for keywords related to conducting BEC activities.
These takeaways highlight the evolving tactics and targets of the threat actor TA4903 in conducting phishing and BEC attacks on US organizations.