Not European news but a lesson for us all – Security Boulevard tells of a couple of phishing schemes that are currently (end February 2019) targeting contractors who do business with two US federal government agencies. Researchers have found that the server hosting the (in one case the Department of Transportation) phishing site used a self-signed TLS certificate to add a sense of legitimacy in the eyes of unsuspecting government contractors. It has a fake landing page and generally mimics the DOT eProcurement portal, and email addresses and bid-submission pages look genuine but the contractor’s details are redirected to a fake login page designed to steal contractors’ usernames and passwords. The State of Security website advises anyone doing business with the US government to familiarise themselves with some of the most common types of phishing attacks preying on users. This resource is relevant to all.
Read also Improving Government IT Through Effective Cyber Security Procurement from Public Spend Forum