The Department of Education was subject to a phishing campaign that targeted the agency’s G5 portal, which handles its grant management system.
BforeAI, a company that provides predictive intelligence for attacks and digital risk protections, identified the campaign on July 15 according to a report released by the company. The cybersecurity group found that there were “multiple lookalike domains” that were attempting to spoof the G5 login page to harvest login credentials.
Lead researcher at BforeAI Abu Qureshi told IT Brew that the company was tracking the bad actor that had been targeting insurance and HR agencies in the US, but pivoted to ED as the group started doing work to take the campaign down. Qureshi said that the phishing attempt is “very timely” with the recent layoffs from the agency.
“It’s not uncommon for actors to try and exploit these reductions in force in big companies or layoffs in [the] public sector as well, especially because the view from the attacker perspective is that public sector is not very well staffed internally to begin with for cybersecurity,” Qureshi said.
Qureshi said that currently, the victim tally is unknown and is not something they are tracking, but “the infrastructure is still live and it was live for some time…there’s a chance that there have been victims.”
These could be the same actors that BforeAI found were sending fraudulent texts to users accused of having unpaid toll fees, according to Qureshi. These actors were found to “be almost operated exclusively out of China.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“We haven’t been able to connect the dots yet, but it’s possible,” Qureshi said. “The amount of time this has been live leads me to believe that it likely is one of those geographies that don’t cooperate with the US or even companies based in the West.”
He continued: “This is a common problem we face on the…internet mitigation, abuse mitigation side, which is dealing with unfriendly nations and dealing with operators within those unfriendly nations. Because sometimes it has to get to the level where the US government gets involved and outreach to that government—and then they kick in the door, quite literally at some point, because they will not take this down.”
The department did not respond to BforeAI’s report that the company sent through its Office of Inspector General, according to Qureshi.
ED now has a message populated on the G5 portal stating the phishing campaign “intended to steal login credentials to access grant award data and change payment instructions.” The agency advised users to type in G5’s URL directly instead of clicking links from any email.
The Cybersecurity and Infrastructure Security Agency did not respond to a request for comment in time for publication.