SAM.gov hackers used spearphishing, spoofing, credential theft
Cybercrooks who stole federal payments by hacking contractor accounts on a GSA website used sophisticated spearphishing techniques to steal login credentials and then diverted payments to bank accounts they controlled, an executive of a contractor targeted in the scam told FedScoop.
It’s unclear how much the scammers have netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement. The inspector general’s office declined to comment, but sources familiar with the investigation told FedScoop that the cyberattacks that facilitated the fraud had been identified last year and were ongoing as recently as last week.
According to the executive, the spearphishing was enabled by shoddy security on the website itself, GSA’s System for Award Management, or SAM.gov, which didn’t provide two-factor authentication or use an email protocol designed to protect against incoming emails with spoofed domain names in their addresses. Targeting was also aided by the rich data the website provided.
The scammers “didn’t need to do any reconnaissance or research, the usual kind of social media engineering” to find out who at each company controlled the SAM.gov account, the executive said. “SAM.gov handed them the targeting intelligence they needed for the campaign.”
The public website has a search function that enables visitors to identify the point of contact for any company with an account on the site — which contractors can use to manage the payments they receive under federal contracts.
“It’s a spearphishing guide,” said the executive, who asked not to be identified because of the sensitive nature of the case. The emails sent to the points of contact “were very high quality,” said the executive, adding that they appeared to come directly from SAM.gov and contained a message asking recipients to click on a link to a fake login page. “It was a high quality facsimile of the real page,” the executive said. When the recipient entered their username and password, the page harvested them, then redirected the user to the real site, along with random login data.
“What you see next [after entering your information] is the real login page with the error message, so you think you’ve fat-fingered it,” explained the executive.
Having harvested the credentials for the account administrator, the hackers were able to login and use the site’s management functions to change the bank accounts into which federal payments were delivered.
Security experts say such attacks can be prevented by at least two baseline best practices that SAM.gov lacked:
● Two-factor authentication (2FA) — requiring the user to identify themselves via a secure hardware token or one-time passcode sent to their mobile phone, in addition to their password. But SAM.gov didn’t offer that option for account administrators, the executive said.
● DMARC, or Domain-based Message Authentication, Reporting and Conformance, is the industry standard measure to prevent email spoofing — when hackers make their messages appear as if they come from trusted correspondents. If DMARC had been deployed and enabled, spoofed emails purporting to come from SAM.gov would have been marked as spam or simply discarded. SAM.gov has a DMARC record, but enforcement has not been switched on.
A GSA spokeswoman declined to address specific questions about 2FA and DMARC. “This is an active law enforcement-sensitive investigation,” she said in an emailed statement. “GSA has made public as much information as it is able on our website and will continue to update accordingly.”
The executive from the targeted company was very critical of SAM.gov’s security. “It’s ridiculous how poorly put together that site is,” he said, adding that when the company first discovered the cyberattack, he struggled to find a point of contact at GSA to report it to.
“I couldn’t convince anyone to listen to me,” he said. After his initial contact with federal
investigators last year, “There was silence for months,” he said.
“Once they knew there was a problem, they had a responsibility to notify the site’s users… Everyone with an account should have been told to check whether their banking information had been changed … There are a thousand things they could have done.”
“The problem is not they had a problem, everyone has problems” concluded the executive. “The problem is the glacial speed with which they’ve responded.”