A gang of hackers known as TA4903 has been executing business email compromise (BEC) attacks by impersonating various U.S. government entities. This group has been active since at least 2019, but their activities have intensified since mid-2023 and into 2024. One of their latest tactics involves using QR codes embedded in PDF attachments to lure victims into phishing sites designed to mimic official portals of the impersonated government agencies.
Proofpoint, an email security company, has been closely tracking TA4903’s campaigns. They have observed the threat actors impersonating entities such as the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA). These impersonations are designed to deceive recipients into opening malicious files or clicking on links that lead to fraudulent bidding processes.
The PDF attachments used by TA4903 are customized to match the theme of the spoofed organization but maintain consistent design elements. Additionally, they all contain metadata indicating a Nigerian origin, suggesting the potential location of the threat actors. Recipients who scan the QR codes are redirected to phishing sites that closely resemble the official portals of the impersonated government agencies, where they may be prompted to enter sensitive information like their O365 credentials.
TA4903’s activities are primarily financially motivated, with tactics including gaining unauthorized access to corporate networks, searching compromised accounts for financial information, and executing BEC attacks. These attacks involve sending fraudulent payment or invoice requests from compromised email accounts to other employees or partners. The group poses a significant threat to organizations globally, particularly those in the U.S., with high-volume email campaigns aimed at various sectors. Despite initially targeting U.S. government entities, TA4903 has recently shifted to impersonating small businesses, raising concerns about the evolving nature of their tactics.
