SAM.gov Hackers Used Spear Phishing, Email Spoofing and Credential Theft

Cybercrooks who stole federal payments by hacking contractor accounts on a GSA website used sophisticated spear phishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.

It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement. The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as recently as last week.

According to the executive, the spearphishing was enabled by inferior security on the website itself, GSA’s System for Award Management, or SAM.gov, which didn’t provide two-factor authentication or use an email protocol designed to protect against incoming emails with spoofed domain names in their addresses. Targeting was also aided by the rich data the website provided.

The scammers “didn’t need to do any reconnaissance or research, the usual kind of social media engineering” to find out who at each company controlled the SAM.gov account, the executive said. “SAM.gov handed them the targeting intelligence they needed for the campaign.”

The public website has a search function that enables visitors to identify the point of contact for any company with an account on the site — which contractors can use to manage the payments they receive under federal contracts.

“It’s a spearphishing guide,” said the executive, who asked not to be identified because of the sensitive nature of the case. The emails sent to the points of contact “were very high quality,” said the executive, adding that they appeared to come directly from SAM.gov and contained a message asking recipients to click on a link to a fake login page. “It was a high quality facsimile of the real page,” the executive said. When the recipient entered their username and password, the page harvested them, then redirected the user to the real site, along with random login data.

“What you see next [after entering your information] is the real login page with the error message, so you think you’ve fat-fingered it,” explained the executive.

Having harvested the credentials for the account administrator, the hackers were able to login and use the site’s management functions to change the bank accounts into which federal payments were delivered.

Such attacks can be prevented by at least two baseline best practices that SAM.gov lacked:

• Two-factor authentication (2FA) — requiring the user to identify themselves via a secure hardware token or one-time passcode sent to their mobile phone, in addition to their password. But SAM.gov didn’t offer that option for account administrators, the executive said.
• DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. If DMARC had been deployed and enabled, spoofed emails purporting to come from SAM.gov would have been marked as spam or simply discarded. SAM.gov has a DMARC record, but enforcement has not been switched on.

Cyber-attacks are rapidly getting more sophisticated. GDR Group will help train your employees to better manage the urgent IT security problems of social engineering, spear-phishing and ransomware attacks. Take the first step now and email [email protected] to request a quote for security awareness training for your organization.