<h2>Overview</h2><p>In late May 2019, Anomali researchers discovered a phishing campaign impersonating three Latin American government’s electronic procurement (e-Procurement) systems. The campaign uses convincing looking phishing pages where individuals and companies are invited to bid on public projects with the governments of Mexico, Peru, or Uruguay. The actors or group behind these phishing attacks setup multiple fraudulent online portals to steal account credentials from unsuspecting users, which can be sold for profit on underground markets or as an initial entry point for obtaining sensitive and privileged information from the victim and their organization.</p><p>Prior to release of this blog post, Anomali has reached out to the appropriate government entities to inform them of the phishing campaign to minimize the threat posed to businesses seeking contract opportunities with the respective governments. We also submitted the phishing sites to <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safe Browsing</a> and <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft Defender Security Intelligence</a> as an additional security measure to block the fraudulent websites.</p><h2>Introduction</h2><p>On May 28, 2019, Anomali researchers identified a phishing campaign masquerading as three Latin American government e-procurement websites from Mexico, Peru, and Uruguay. The table below depicts the impersonated government agencies and e-procurement system names:</p><table class="table table-bordered table-striped"><thead><tr><th scope="col">Targeted Agency Name</th><th scope="col">e-Procurement System Name</th><th scope="col">Country</th></tr></thead><tbody><tr><td>Secretaría de la Función Pública <em>(English Translation: Secretariat of the Civil Service)</em></td><td>CompraNet</td><td>Mexico</td></tr><tr><td>Gobierno del Perú <em>(English Translation: Government of Peru)</em></td><td>Plataforma Digital Única del Estado Peruano <em>(English Translation: Unique Digital Platform of the Peruvian State)</em></td><td>Peru</td></tr><tr><td>Agencia de Compras y Contrataciones del Estado (ACCE) <em>(English Translation: State Purchasing and Contracting Agency)</em></td><td>Compras Electrónicas <em>(English Translation: Electronic Purchases)</em></td><td>Uruguay</td></tr></tbody></table><p>The campaign consisted of 16 unique web pages designed to mimic legitimate electronic procurement systems used by the abovementioned governments to solicit bids from the public. Of note, three of the eight Peru-themed phishing pages that were hosted on compras[.]gob[.]pe[.]corpenta[.]com was prominently displayed on the <a href="https://www.perucompras.gob.pe/" target="_blank">Peru Compras</a>, a Government of Peru agency, homepage warning the public of the fraudulent pages. All of the servers hosting the phishing pages were poorly configured and left exposed allowing any site visitor to view the directory’s contents. These directories had a similar structure and contained files such as images, HTML pages, and CSS files of the targeted website.</p><p>Figure 0 depicts an example of the components used to construct the phishing pages mimicking CompraNet, the electronic government public information system on public procurement by the Government of Mexico.</p><p style="text-align: center;"><img alt="Example of an open directory listing CompraNet (Mexico) related phishing components" src="https://cdn.filestackcontent.com/F6yayPiNSk6F8sNpfxoW"/><br/> <em>Figure 0. Example of an open directory listing CompraNet (Mexico) related phishing components</em></p><h2>Details on the e-Procurement Phishing Pages</h2><p>Each of the e-Procurement-themed phishing pages are written in the Spanish language and dialect of the targeted governments country of origin, a likely attempt to increase the authenticity of the fraudulent site. Located at the top left of the main page is a message box with the following information:</p><ul><li>The visitors’ company was selected to present an offer on unspecified public projects</li><li>Requests site visitors to click on the “Entrar” or enter button in the middle of the page to communicate with the government agency via a private portal</li><li>All questions concerning the preparation of an appointment to be sent via email by close of business on June 28, 2019 - specific to Peru and Uruguay - or June 30, 2019 - specific to Mexico</li></ul><p style="text-align: center;"><img alt="Phishing page impersonating Government of Mexico’s CompraNet" src="https://cdn.filestackcontent.com/LaEYxY9DT8SVDpGXP09r"/><br/> <em>Figure 1. Phishing page impersonating Government of Mexico’s CompraNet</em></p><p style="text-align: center;"><em><img alt="Phishing page impersonating Government of Uruguay’s Compras Electrónicas " src="https://cdn.filestackcontent.com/TkrYdijqTdyuqlmcgjrA"/><br/> Figure 2. Phishing page impersonating Government of Uruguay’s Compras Electrónicas</em></p><p style="text-align: center;"><em><img alt="Phishing page impersonating Government of Peru’s Compras Electrónicas" src="https://cdn.filestackcontent.com/ZWDBFohTuqPDiJ6qjFXQ"/><br/> Figure 3. Phishing page impersonating Government of Peru’s Compras Electrónicas</em></p><p>When the user clicks on the Entrar button, a pop-up window appears prompting to login using their email address and password to access the online portal. Figure 4 depicts the login page with the faux CompraNet homepage in the background.</p><p style="text-align: center;"><img alt="Faux login page for Government of Mexico’s CompraNet" src="https://cdn.filestackcontent.com/qtbqLVkKSLKJcLiR6XpW"/><br/> <em>Figure 4. Faux login page for Government of Mexico’s CompraNet</em></p><p>Presumably, once the victim discloses their login credentials, a web page that displays a thank you message and informs them to expect via email the invitation to bid documentation for an undisclosed project with one of three bidding IDs:</p><ul><li>MX-0846-19-RFQ for Government of Mexico request for quotation</li><li>PE-0846-19-RFQ for Government of Peru request for quotation</li><li>UY-0846-19-RFQ for Government of Uruguay request for quotation</li></ul><p style="text-align: center;"><img alt="Faux e-procurement system ID impersonating CompraNet (Mexico)" src="https://cdn.filestackcontent.com/WuuLxaJSaCHcPXtMtHix"/><br/> <em>Figure 5. Faux e-procurement system ID impersonating CompraNet (Mexico)</em></p><p style="text-align: center;"><em><img alt="Faux e-procurement system ID impersonating Compras Electrónicas (Peru)" src="https://cdn.filestackcontent.com/EkagbNuKQ4qeSMczvT7H"/><br/> Figure 6. Faux e-procurement system ID impersonating Compras Electrónicas (Peru)</em></p><p style="text-align: center;"><em><img alt="Faux e-procurement system ID impersonating Compras Electrónicas (Uruguay)" src="https://cdn.filestackcontent.com/axHoB7xWQlpUwJtF8gRV"/><br/> Figure 7. Faux e-procurement system ID impersonating Compras Electrónicas (Uruguay)</em></p><h2>Phishing Infrastructure</h2><p>In this campaign, the threat actors leveraged six unique domains that resolved to three distinct IP addresses to host 16 different web pages impersonating the governments of Mexico, Peru, and Uruguay. A technical analysis of the threat infrastructure uncovered at least three suspicious email addresses used by the malicious actors when configuring their Domain Name System (DNS) settings for the phishing campaign.</p><h3>Domain 1</h3><p>On June 3, 2019, an individual named Eilmar Yefim Vilchez Herrera using email address evilchezh{at}gmail[.]com registered the domain corpenta[.]com[.]pe with Registrar Nic.pe. According to open source research, this domain is associated with a Lima, Peru-based company named Corpenta Seguridad Electrónica. When conducting a Google search on this domain, a security warning from Norton Safe Web browser plugin alerts users of a phishing threat originating from a subdomain hosting a fraudulent page impersonating the Government of Uruguay located at <hxxp: compras[.]gub[.]uy[.]corpenta[.]com[.]pe="" seguro="" verificar.html="">. This could likely be a sign that the threat actor’s compromised the website to host phishing pages targeting the Central De Compras Publicas (Peru Compras) and the Agencia de Compras y Contrataciones del Estado (Uruguay). At the time of this report, the domain resolves to IP address 173.212.248[.]4 (AS51167 - Contabo GmbH), located in Germany, which is a server used by a total of 44 domains. Several of these sites were observed hosting Microsoft Office365-themed phishing pages as recent as May 30, 2019.</hxxp:></p><p style="text-align: center;"><em><img alt="Norton Safe Web security warning" src="https://cdn.filestackcontent.com/nxUD7CiJREiSNsCumVrO"/><br/> Figure 8. Norton Safe Web security warning</em></p><h3>Domains 2, 3, 4, 5</h3><p>From May 27, 2019 to May 30, 2019, the domains i1-i[.]icu, i2-i[.]icu, i3-4[.]online, and i3-5[.]online were registered with Registrar NameCheap using privacy protection measures. These four domains were hosted by Russia-based IP address 37.0.123[.]217 (AS198310 - Pallada Web Service LLC). A passive DNS lookup on this IP address uncovered 379 suspicious looking domains and subdomains most likely used in phishing campaigns targeting public and private sector organizations such as U.S. Departments of Housing and Urban Development (HUD) and Transportation (DOT), YouTube, and Adobe. A check of these domain’s Start of Authority (SOA) records identified they shared the same email address elsyresh.official{at}gmail[.]com. A reverse Whois lookup on this email address uncovered a total of 10 domains created by a registrant named Elsy Resh from October 24, 2018 to February 28, 2019 using Registrar NameCheap. Based on the domain’s naming structure, they were almost certainly employed by the threat actor to primarily target local, state, and federal government agencies from the United States.</p><h3>Domain 6</h3><p>The domain umernasim[.]com was registered on December 9, 2017 with GoDaddy to an unspecified individual based in Sindh, Pakistan, according to Whois records.According to social networking sites Facebook, Twitter, and LinkedIn, this domain is associated with Muhammad Umer Nasim, the co-founder of Travelezco Holidays. It is highly probable that the threat actor compromised this website to host phishing pages impersonating CompraNet (Mexico), Central De Compras Publicas - Peru Compras, and Agencia de Compras y Contrataciones del Estado (Uruguay).</p><p>The domain is hosted on IP address 134.119.176[.]46 (AS29066 - velia.net Internetdienste GmbH), located in France, which is the host for 283 total domains. A check of the domain’s SOA record uncovered the email address rajaariz{at}gmail[.]com, which is likely specific to the individual related to the phishing campaign.</p><h2>Conclusion</h2><p>This latest phishing campaign is representative of an increasing trend we have observed since mid-2018 targeting businesses worldwide seeking contracting opportunities with local, state, and federal governments. Oftentimes, these types of government contracts are sought after by small and medium-sized businesses (SMBs) that lack the resources to adequately defend themselves from targeted or opportunistic attacks. We recommend that businesses exercise caution when in receipt of unsolicited correspondence especially when it claims to be from government agencies inviting your company to bid on public projects and educate their staff on spotting and dealing with phishing attacks.</p><h2>References</h2><ul><li>Agencia de Compras y Contrataciones del Estado - https://www.comprasestatales.gub.uy/consultas/</li><li>CompraNet - https://compranet.funcionpublica.gob.mx/web/login.html</li><li>Facebook - https://www.facebook.com/UmerNasimLive/</li><li>Facebook - https://www.facebook.com/TravelezcoHolidays/</li><li>Facebook - https://www.facebook.com/corpenta/</li><li>LinkedIn - https://pe.linkedin.com/in/eilmar-vilchez-security</li><li>LinkedIn - https://pk.linkedin.com/in/mumernasim</li><li>Peru Compras - https://www.perucompras.gob.pe/</li><li>Twitter - https://twitter.com/corpenta</li></ul><h2>Appendix A - Observables</h2><p>The below indicators of compromise (IOCs) can be used to identify phishing activity associated with this latest campaign targeting individuals and businesses attempting to submit online bids with the governments of Mexico, Peru, and Uruguay.</p><h3>Phishing IP Addresses</h3><table class="table table-bordered table-striped"><thead><tr><th scope="col">Phishing IP Address</th><th scope="col">Targeted Agency</th></tr></thead><tbody><tr><td>37[.]0[.]123[.]217</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr><tr><td>134[.]119[.]176[.]46</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr><tr><td>173[.]212[.]248[.]4</td><td>Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr></tbody></table><h3>Phishing Domains</h3><table class="table table-bordered table-striped"><thead><tr><th scope="col">Phishing Domain</th><th scope="col">Targeted Agency</th></tr></thead><tbody><tr><td>corpenta[.]com[.]pe</td><td>Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr><tr><td>i1-i[.]icu</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr><tr><td>i2-i[.]icu</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras</td></tr><tr><td>i3-4[.]online</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr><tr><td>i3-5[.]online</td><td>CompraNet (Mexico)</td></tr><tr><td>umernasim[.]com</td><td>CompraNet (Mexico)<br/> Central De Compras Publicas - Peru Compras<br/> Agencia de Compras y Contrataciones del Estado (Uruguay)</td></tr></tbody></table><h3>Phishing URLs</h3><table class="table table-bordered table-striped"><thead><tr><th scope="col">Phishing Page</th><th scope="col">Description</th></tr></thead><tbody><tr><td>hxxp://compranet[.]funcionpublica[.]gob[.]mx[.]seguro[.]umernasim[.]com</td><td>Phishing page impersonating the Government of Mexico CompraNet e-procurement site</td></tr><tr><td>hxxp://www[.]compranet[.]funcionpublica[.]gob[.]mx[.]seguro[.]umernasim[.]com</td><td>Phishing page impersonating the Government of Mexico's CompraNet e-procurement site</td></tr><tr><td>hxxp://www[.]compranet[.]funcionpublica[.]gob[.]mx[.]i2-i[.]icu/</td><td>Open directory most likely used in a phishing campaign impersonating the Government of Mexico's CompraNet e-procurement site</td></tr><tr><td>hxxps://compranet[.]funcionpublica[.]gob[.]mx[.]i3-5[.]online/seguro/iniciarsesion.html</td><td>Phishing page impersonating the Government of Mexico's CompraNet e-procurement site</td></tr><tr><td>hxxp://compras[.]gob[.]pe[.]corpenta[.]com[.]pe/</td><td>Open directory hosting a Government of Peru's Compras Electrónicas e-procurement phishing page</td></tr><tr><td>hxxp://www[.]compras[.]gob[.]pe[.]corpenta[.]com[.]pe/</td><td>Phishing page impersonating the Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxp://compras[.]gob[.]pe[.]i2-i[.]icu/</td><td>Open directory most likely used in a phishing campaign impersonating Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxp://www[.]compras[.]gob[.]pe[.]i2-i[.]icu/</td><td>Open directory most likely used in a phishing campaign impersonating Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxp://compras[.]gob[.]pe[.]seguro[.]iniciar[.]umernasim[.]com</td><td>Phishing page impersonating the Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxp://www[.]compras[.]gob[.]pe[.]seguro[.]iniciar[.]umernasim[.]com</td><td>Phishing page impersonating the Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxps://compras[.]gob[.]pe[.]corpenta[.]com[.]pe/seguro/iniciarsesion.html</td><td>Phishing page impersonating the Central De Compras Publicas - Peru Compras e-procurement site</td></tr><tr><td>hxxps://www[.]compras[.]gob[.]pe[.]i1-i[.]icu</td><td>Open directory most likely used in a phishing campaign impersonating the Central De Compras Publicas (Peru) Compras e-procurement site</td></tr><tr><td>hxxp://compras[.]gub[.]uy[.]seguro[.]iniciar[.]umernasim[.]com</td><td>Phishing page impersonating the Agencia de Compras y Contrataciones del Estado (Uruguay) e-procurement site</td></tr><tr><td>hxxp://i1-i[.]icu/compras[.]gub[.]uy/seguro/iniciarsesion.html</td><td>Phishing page impersonating the Agencia de Compras y Contrataciones del Estado (Uruguay) e-procurement site</td></tr><tr><td>hxxps://compras[.]gub[.]uy[.]corpenta[.]com[.]pe/seguro/iniciarsesion.html</td><td>Phishing page impersonating the Agencia de Compras y Contrataciones del Estado (Uruguay) e-procurement site</td></tr><tr><td>hxxp://www[.]compras[.]gub[.]uy[.]corpenta[.]com[.]pe/</td><td>Phishing page impersonating the Agencia de Compras y Contrataciones del Estado (Uruguay) e-procurement site</td></tr></tbody></table><h3>SSL/TLS Certificate Serial Numbers</h3><ul><li>0x817821432022E2AA2C6BCFC3D5AF3FD2</li><li>17188398438505402504623673040446410024</li><li>30419363694306952632521027030109419465</li><li>161868278914798070656287729984901928697</li><li>31851535104979279631185987936163357406</li><li>0xFBB76F806C1954BDD49AF246C2A70C35</li><li>0xC12B0E24711EC65262B504EFFD8B23DC</li><li>18857921343698645860117823470634184564</li><li>13696788086272038093483090326891513040</li><li>0x8EF723E1FC523A135FCE1E96320871E6</li><li>0xF270B2D7A4B7BF51641091DABA7AECE1</li><li>0x04320D303756969A7FE72B0F10242E0D2A76</li><li>0xD71F2C03572C5AF5643C6274D65C007C</li></ul>