Home > Security > Security News

Hackers Clone U.S. Department of Education’s Grant Site in Credential Theft Campaign

Published
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor
Department of Education Cybercrime

The U.S. Department of Education's G5 portal has been targeted in a phishing campaign. The cyber attacks were discovered on July 15, and they involve several fraudulent domains impersonating the federal platform managing education grants and funding.

The incident came to light when PreCrime Lab, a threat research unit at BforeAI, discovered fake domains mimicking the G5.gov login page. Investigators quickly determined that the spoofing campaign aimed to impersonate a government system and steal user credentials.

The primary targets are speculated to be grant administrators, educators, and vendors whose accounts could be further exploited for lateral movement and scams. 

Lookalike Domains to the U.S. Department of Education (G5)

The structure of the phishing pages gave an impression of being affiliated with federal systems. 

Cloned G5 portal for credential theft
Cloned G5 portal for credential theft | Source: Before.AI

The login page of the G.5 portal was replicated to trick education professionals, grant administrators, and vendors tied to the U.S. Department of Education, the BforeAI report read.

The fraudulent domains and websites hosting phishing kits:

What Researchers Found 

Researchers noticed a compelling likeness in the visual design of the phishing platforms mimicking https://www.g5.gov. The pages also redirect to a /verify/ endpoint which likely leads to another phishing site or MFA bypass for easy loginmulti-factor authentication (MFA) bypass to facilitate unauthorized access.

These are the Other Findings About the G.5 Phishing Campaign

Potential Threats and Impact to Guard Against

This phishing campaign could help attackers not only to access sensitive information but also to change payment instructions. They could impersonate recipients to commit fraud. 

Moreover, the tactic could be leveraged to target federal infrastructure as part of a broader supply chain attack.

Another speculation the researchers made was that “these domains could be paired with phishing emails referencing ongoing layoffs or grant disbursement delays.”

“This activity is particularly alarming given the recent Trump Administration announcement of 1,400 layoffs at the Department of Education, which may create confusion and an opportunity for social engineering,” the report further noted.

Action Taken So Far

The Department of Education Office of the Inspector General (OIG) has been alerted about the phishing scam. BforeAI has officially flagged all the malicious domains which are now undergoing disruption, and shared critical threat intelligence with its partner intelligence ecosystems. 

The possible reuse of assets, including favicon hashes, JS signatures, and others, is under continuous monitoring. 

How to Prevent Threats

Phishing actors often replicate official login portals, including logo, layout, and URL structure to deceive users. In response to this trend, TechNadu approached the BforeAI for information on how to verify the legitimacy of a portal when confronted with spoofed logos and login pages. 

Abu Qureshi, Threat Research and Mitigation Lead, BforeAI, responded by saying that it is technically possible to detect such threats, but it requires awareness and vigilance. 

These are Qureshi’s recommendations: 

In addition, government employees must bookmark the official G5 postal and continue using it until all threats are fully mitigated. They must also be wary of clicking on any suspicious links or responding to emails that appear urgent or ask for personal information.

All malicious activity or communications should be reported to [email protected] or one’s agency’s cybersecurity team.

Add a Comment
Related
Iran Surveillance
Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society
Help Desk Impersonation
Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 
US Nuclear Weapons Hacking Agency
US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected
SharePoint Vulnerability
SharePoint Exploits Impact 100 Entities, Google Says Some Hacks Are Tied to Chinese Hackers
DCHSpy Spyware
Iranian Hackers MuddyWater Use Fake VPN and Banking Apps to Distribute DCHSpy to Governments
Dell Data Breach
Dell Solution Center Test Lab Breach, Linked to World Leaks Extortion Group Attack
Most Popular
VPN Scam
Windscribe Slams Top-Ranked JET VPN for Piggybacking on Its Servers Without Consent
Iran Surveillance
Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society
Help Desk Impersonation
Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 
US Nuclear Weapons Hacking Agency
US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected
Google Sues Botnet
Google Sues Operators Behind BadBox 2.0 Botnet Infecting 10 million Android Devices
SharePoint Vulnerability
SharePoint Exploits Impact 100 Entities, Google Says Some Hacks Are Tied to Chinese Hackers
Windscribe Slams Top-Ranked JET VPN for Piggybacking on Its Servers Without Consent
Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society
Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 
US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected
Google Sues Operators Behind BadBox 2.0 Botnet Infecting 10 million Android Devices
SharePoint Exploits Impact 100 Entities, Google Says Some Hacks Are Tied to Chinese Hackers

Most Popular
VPN Scam
Windscribe Slams Top-Ranked JET VPN for Piggybacking on Its Servers Without Consent
Iran Surveillance
Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society
Help Desk Impersonation
Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 
US Nuclear Weapons Hacking Agency
US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected
Google Sues Botnet
Google Sues Operators Behind BadBox 2.0 Botnet Infecting 10 million Android Devices
SharePoint Vulnerability
SharePoint Exploits Impact 100 Entities, Google Says Some Hacks Are Tied to Chinese Hackers
Windscribe Slams Top-Ranked JET VPN for Piggybacking on Its Servers Without Consent
Targeted Surveillance Surges in Iran: Spyware and Phishing Campaigns Hit Women, Minorities, and Civil Society
Clorox Sues Cognizant Over Cybersecurity Negligence in 2023 Scattered Spider Hack 
US Nuclear Security Administration Breached in SharePoint Hack, Linen & Violet Typhoon, Storm-2603 Suspected
Google Sues Operators Behind BadBox 2.0 Botnet Infecting 10 million Android Devices
SharePoint Exploits Impact 100 Entities, Google Says Some Hacks Are Tied to Chinese Hackers

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2025 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: