Officials targeted in new phishing bid via govt IDs
A new phishing email using compromised government accounts targeted groups of officials this week, attempting to lure them into sharing their passwords on a page that mirrored the government’s official mail server sign-on website, an attack that could let the attackers gain access to sensitive credentials and files.
The attack, which took place on Monday, prompted the government’s IT departments to send out an alert the following day to large groups of officials, according to emails seen by HT. The incident is the latest in a series of such cyber attacks that leverage compromised @gov.in or @nic.in email addresses issued by the National Informatics Centre (NIC), which may be more successful in luring the targets into sharing sensitive information.
“There has been another phishing attempt using the same MO [modus operandi] but this time it also provided the link to a fake email log-in page. Many officials fell for it as it mirrored the same log-in page and clicked on the link in the phishing email and tried logging in to their government email accounts. The link to that page is still live. Several ministries and departments were alerted about the phishing attack on Tuesday,” an official said, asking not to be named.
An alert issued by one of the IT departments of the government said that phishing attack “...entices email users to authorize email ID for kavach by clicking on a web-link... When email user clicks on the web-link to verify his/her email ID, a login page similar to www.email.gov.in opens. This is to inform that the login page is malicious/phishing in nature”.
Altogether, HT is aware of five NIC domain addresses – four with @gov.in suffixes and the fifth an @nic.in one – that have been used to launch cyber attacks. HT is not disclosing these addresses in order to protect any investigations there may be.
“It is being observed that you did not AUTH your account til deadline of KAVACH, its intimated to you that please AUTH your account now otherwise your account will be locked permanently,” the latest phishing mail said.
In response to queries from HT on these attacks, an NIC official said: “In phishing attacks End User awareness is a very critical component and NIC is focusing on this through routine advisories and workshops. In addition to this, based on the evolving threat landscape, security posture of the Government email setup and networks are continuously reviewed and steps are taken to mitigate emerging cyber-attacks.”
The NIC, on February 19, had said phishing attempts are among common email-based threat vectors to target users of any email service. Such phishing attacks intend to harvest user details/credentials.
According to cybersecurity experts, the address mentioned in the latest phishing email is a redirection page. “The attack is phishing with the intent of credential harvesting. Once these credentials are stolen, more such attacks will continue from these stolen identities. There is no malware in the link but redirection, which is bad and not transparent,” said a security researcher at Sequretek, a cybersecurity firm. This person requested not to be identified.
The Indian Computer Emergency Response Team (Cert-IN), which investigates incidents of cyber breaches, did not respond to requests for a comment.
On February 21, HT also reported that the devices of multiple former defence personnel may have been compromised in a phishing attack launched through similar attacks carried out by government domain email addresses.