Recent findings by security analysts at Proofpoint have uncovered a hacker group named TA4903 specializing in Business Email Compromise (BEC) attacks. This group has been impersonating various U.S. government agencies to lure victims into opening malicious files containing fake bidding process links.
According to data observed by Proofpoint, the threat actors have masqueraded as multiple U.S. agencies including the Department of Transportation, the Department of Agriculture (USDA), and the Small Business Administration (SBA).
It is believed that the hacker group TA4903 has been active on the internet since at least 2019, with an increased frequency of activities noted between mid-2023 and 2024. Security researchers have observed the latest tactic employed by TA4903, which involves embedding a QR code in PDF document attachments.
These PDF files, which exhibit a uniform style and share the same metadata (including an author name pointing to Nigerian heritage), redirect victims to fake official websites mimicking U.S. government agencies once the QR code is scanned.
Following the “bait” in phishing emails, recipients may be led to an O365 login page where they are prompted to enter their login credentials. It is worth noting that the TA4903 hacker group has previously used the “EvilProxy” to bypass Multi-Factor Authentication (MFA) protection, though Proofpoint has not observed recent use of reverse proxies.
Proofpoint indicates that the attacks by the TA4903 hacker group are primarily economically motivated, employing strategies such as unauthorized access to enterprise networks or email accounts, searching for financial fraud opportunities related to banking information, payments, or vendors, and conducting BEC attacks like sending fraudulent payment or invoice requests from compromised email accounts to other employees or partners.
In mid-2023, security researchers discovered instances where threat actors attempted to deceive finance department employees into updating payment details, often originating from compromised email accounts of target organizations or very similar addresses.
Since their emergence, the TA4903 hacker group has targeted various U.S. organizations with a significant volume of email attacks, posing a serious threat to their network environment security. Recently, researchers have observed a shift in TA4903’s focus from impersonating U.S. government entities to mimicking small businesses, although it remains unclear whether this transition is temporary or long-term.
Reference Article: https://www.bleepingcomputer.com/news/security/hackers-impersonate-us-government-agencies-in-bec-attacks/