Government websites pair up to host Apple ID phishing attack

Brazilian and Laotian government websites were found collaborating in an unusual Apple ID phishing attack today.

The Brazilian government education WordPress site at http://ead.go.gov.br/, and the Laotian government Department of Posts and Telecommunications site at https://dpt-km.gov.la — which runs Joomla — have evidently been compromised in this attempt to steal Apple ID credentials.

A subdirectory on http://ead.go.gov.br/ houses this phishing content, which prompts victims to enter their Apple IDs and passwords.

A subdirectory on http://ead.go.gov.br/ houses this phishing content, which prompts victims to enter their Apple IDs and passwords.

The most unusual thing about this particular incident is that both government sites are being used to carry out the same phishing attack: The spoof Apple ID login form is hosted on the Brazilian government site, while the Laotian government site hosts a script that redirects visitors to the spoof form on the Brazilian site.

In a separate spate of attacks, an Alibaba phishing site was also discovered on another Brazilian government site this week at http://cmrn.mg.gov.br, and a LinkedIn phishing site was found on the Pakistani government health information website at http://dhiskp.gov.pk/. The Laotian government site was also used to host a redirect to another phishing attack against a Greek bank last month.

While it is common for phishing sites to be hosted on compromised web servers, it is often assumed that government websites would be more secure than average; but this is not always the case, as empirically demonstrated by this week's attacks, and also by previous attacks hosted on Malaysian, Nigerian and Thai government websites.

However, this is the first time Netcraft has seen two different governments' websites working together to take part in the same phishing attack.