More than 40,000 users victims of phishing attacks had their credentials for unlocking online accounts for government services stolen. The information might have already been sold on underground hacker forums

Researchers at Group-IB, an international company focused on the prevention of cyber attacks, found that the login data offered access to services in 30 countries around the world.

A spokesperson for the company told BleepingComputer that the compromised credentials were discovered using investigative research techniques that involved detection and reverse-engineering of malware, and digital forensics data.

Most of the victims are in Europe

More than half of the victims are from Italy (52%), followed by Saudi Arabia (22%) and Portugal (5%). Users of government portals in other countries were also affected.

Among the victims are government employees, military and civilian citizens with accounts on official websites of France (gouv.fr), Hungary (gov.hu), Croatia (gov.hr), Poland (gov.pl), Romania (gov.ro), Switzerland (admin.ch), and the Government of Bulgaria (government.bg).

Credentials for logging into services from the Israel Defense Forces (idf.il), the Ministry of Finance of Georgia (mof.ge), the Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italy. Creds for websites of Italian Ministry of Defense (difesa.it) were also compromised.

The Computer Emergency Response Teams (CERTs) of the affected countries have been notified of the threat so they can take action to minimize the risks.

Victims fell for phishing trick

According to Group-IB, the hackers were able to grab the username/password pairs via malicious emails that distributed well-known spyware tools like Pony Formgrabber, AZORult, and Qbot (Qakbot).

The phishing operation targeted both personal and corporate email accounts and disguised the malware as a legitimate file or archive. When the victim opened the attachment, the malware would deploy and start looking for sensitive information on the system.

Pony targets over 70 software programs, searching for credentials in configuration files, databases, and secret storages. Once it collects the data, it sends it to the attacker's command and control (C2) server.

AZORult pilfers passwords from web browsers and also forages for data related to cryptocurrency. This particular trojan comes with a diverse set of capabilities that includes downloader functionality to deliver other threats, such as the Aurora ransomware.

Qbot, also known as QakBot and PinkSlip, is a multi-purpose banking trojan that with over a decade of activity. It stays under the radar and it is typically used in attacks that target high-profile victims.

It features worm-like capabilities that allow it to spread inside a compromised network and it can steal web sessions, cookies, and web certificates. The malware also includes keylogging capabilities for grabbing credentials.

In a report shared with BleepingComputer, Group-IB says that login data for government websites is less common on underground hacker forums because there is no immediate financial value in it.

For more advanced attackers, though, these logins are a valuable asset that could allow them to reach classified information. It could also allow them to infiltrate government websites for espionage purposes.

"Even one compromised government employee’s account can lead to the theft of commercial or state secrets," the researchers say.

Update [12/13/18] The article has been modified to more clearly reflect that the hackers compromised only the login credentials for the websites, not the websites themselves.