Cybercrooks who stole federal payments by hacking contractor accounts on the GSA’s System for Award Management website used spearphishing techniques to steal login credentials, then diverted payments to bank accounts they controlled.
It’s unclear how much the scammers netted through their scheme, which is being investigated by the GSA inspector general and federal law enforcement. Unofficial sources indicate that the cyberattacks that facilitated the fraud had been identified last year, and were ongoing as recently as the end of March.
A number of factors facilitated the breach. The system did not require two-factor authentication, nor had it enabled the DMARC system for identifying spoofed email messages. The site itself provided an easy look-up to identify the individuals who controlled SAM accounts on the system, for targeting. Many were apparently fooled by email messages asking them to click on a link to a well-crafted fake login page.
An executive from the targeted company was very critical of SAM.gov’s security. “It’s ridiculous how poorly put together that site is,” he said, adding that when the company first discovered the cyberattack, he struggled to find a point of contact at GSA to report it to.