Cybercriminals use PH government agencies to trick victims

Proofpoint, an enterprise cybersecurity company, has identified cybercriminal activities that are impersonating Philippine government agencies to trick victims into clicking and/or downloading attachments from phishing emails. The cybercriminals made it appear that the emails are coming from the Department of Health (DOH), the Philippine Overseas Employment Administration (POEA), and the Bureau of Customs (BOC).

A group called Balikbayan Foxes, according to Proofpoint researchers, "is targeting organizations directly or indirectly engaged with the Philippine government based on a continuous pattern of spoofing email addresses and delivering lures designed to impersonate government entities."

Using emails pretending to be from the Bureau of Customs, the cybercriminals engage with shipping, transportation, and logistics companies.

With the same technique of sending spoofed emails, the cybercriminal group also engages with manufacturing and energy companies that require correspondence with the Department of Labor and Employment (DOLE) and the Bureau of Customs (BOC).

This series of cybercriminal campaigns distribute remote access trojans (RATs) typically used for information gathering, data theft operations, monitoring, and control of compromised computers.

Upon further investigation, Proofpoint identified additional, separate campaigns distributing the same malware masquerading as the Philippine Department of Health (DOH).

The fake emails contain PDF links to compressed executables that download and run malware, compressed MS Excel documents containing macros which, if enabled, could download malware, and link to a compressed file with an embedded malicious file.

Here are the emails from the cybercriminals as released by Proofpoint.

It's a red flag if the email creates a sense of urgency and asks you to click a link. If you clicked a link, be sure to check the URL if it points to the website of the agency

This email is sent from a free email domain, it's a scam. The embassy of the Kingdom of Saudi Arabia in the Philippines has an official email. The email sent to a PH government agency is from a Gmail account.

Check the attachment carefully. The email pretending to be from the POEA has a UUE file attachment that could lead to the installation of the remote access trojan.

The best way to avoid phishing scams is to be fully informed. Keep your eyes open for news about the latest phishing methods and how to stop them. If you know how the criminals work, you have a lower risk of biting that lure. Always think before you click, hover your cursor over the link, and check the actual URL before clicking. It would also help if you would keep your system up to date and use anti-virus software. Always remember, never give out your personal information. #BeFullyInformed

(Proofpoint, Inc. is an American enterprise security company based in Sunnyvale, California that provides software as a service and products for inbound email security, outbound data loss prevention, social media, mobile devices, digital risk, email encryption, electronic discovery, and email archiving. Check Proofpoint at