TA4903 – A Cybercriminal Group with a Focus on Financial Gain

Financial gain is the core motivation of cybercriminal group TA4903. This group has displayed a consistent pattern of sophisticated phishing tactics in pursuit of sensitive corporate data, often followed by damaging BEC scams.

Since December 2021, Proofpoint has observed TA4903 masquerading as various U.S. Departments, starting with the Department of Labor. Over the years, this threat actor expanded its repertoire to include the Departments of Housing and Urban Development, Transportation, and Commerce, and most recently in 2023, the Department of Agriculture. This diverse array of impersonations underscores TA4903’s adaptability and the breadth of its targeting scope.

TA4903’s campaigns have not been limited to government spoofs. In a strategic pivot, the actor began targeting small and medium-sized businesses (SMBs) across sectors such as construction, manufacturing, energy, finance, food, and beverage, among others. This shift has been marked by an uptick in business email compromise (BEC) themes, cleverly designed to deceive victims into divulging payment and banking details under the guise of urgency due to “cyberattacks.”

At the heart of TA4903’s campaigns are sophisticated phishing techniques designed to harvest corporate credentials and infiltrate mailboxes. The phishing messages often contain URLs or attachments that lead unsuspecting victims to sites that mirror the appearance of the entity being spoofed. Notably, the TA4903 cybercriminal group has employed PDF attachments with embedded links or QR codes.

Proofpoint’s investigations reveal an alarming evolution in TA4903’s tactics. The introduction of QR codes in PDFs and the expansion of themes to include confidential documents and secure message lures indicate a significant broadening of the actor’s arsenal. Moreover, TA4903 uses EvilProxy, a reverse proxy tool designed to bypass multifactor authentication.

TA4903 uses stolen data to its advantage, carefully orchestrating various BEC attacks:

• Account Monitoring: Compromised email accounts are actively monitored for keywords related to financial transactions (payments, invoices), revealing potential targets and facilitating later attack preparation.
• Invoice Manipulation: Using their compromised position, attackers subtly modify payment details in existing financial conversations. This redirects funds into accounts controlled by the threat actor.
• Data-Driven Phishing: Insights gleaned from compromised accounts allow TA4903 to craft convincingly personal, highly targeted follow-on phishing attempts, increasing their success rate.

TA4903 demonstrates the adaptability of modern cyberattackers. Their combination of phishing and personalized BEC attacks is a potent threat to businesses of all sizes. Proactive security measures, ongoing training, and a vigilant workforce are vital defenses against this versatile threat.