Phishing Campaign Imitating U.S. Department of Education (G5)

Target: U.S. Department of Education – G5 Grant Portal
Analyst: PreCrime™ Labs
Threat Classification: Credential Phishing (Government Impersonation)
Date: PreCrime™ Labs identified the phishing campaign on July 15th and notified the DoE 

Executive Summary: Phishing Campaign Imitating U.S. Department of Education (G5)

PreCrime™ Labs, the threat research team at BforeAI, identifies a phishing campaign currently targeting the U.S. Department of Education’s G5 portal, which is used for managing grants and federal education funding. Multiple lookalike domains have been observed spoofing the G5 login page in an attempt to harvest login credentials from legitimate users.

These domains attempt to clone or imitate the official G5.gov interface and may be targeting education professionals, grant administrators, or vendors tied to the U.S. Department of Education. This activity is particularly alarming given the recent Trump Administration announcement of 1,400 layoffs at the Department of Education, which may create confusion and an opportunity for social engineering.

The following domains have been observed actively hosting phishing kits or cloned login portals:

• mynylifeinsuraces.com
• mysoleverhrnix.com
• myizolvedpeopls.com
• myapdpetrol.com
• g5parameters.com
• g4parameters.com

These domains are seen mimicking login portals and using deceptive structures to appear affiliated with legitimate federal systems.

Infrastructure Analysis

• Registrar: Hello Internet Corp (known noted for lax abuse compliance)
  • Hosting: All domains are fronted by Cloudflare CDN for obfuscation and uptime resilience
  • HTML Content:
    • Copies visual design and structure of https://www.g5.gov
    • Includes fake login form and JavaScript-based credential exfiltration
    • Displays a “case-sensitive” login field to appear more legitimate
  • Observed Behavior:
    • The page submits data via analytics.php and uses an asynchronous updates.php loop to simulate login processing
    • Uses browser-based cloaking and DOM manipulation to confuse automated scanners

Attempts redirection to a /verify/ endpoint, which likely leads to secondary phishing or MFA bypass.

A cloned version of the G5 portal was identified on one of the domains. This phish uses the same login structure, help desk information, and layout as the official site. (see screenshot below).

Reputational Hits and Risk Propagation

BforeAI is the only known provider currently flagging this infrastructure. No mainstream blocklists have yet labeled this cluster — highlighting the value of predictive detection.

Credential Theft: Login credentials to a government grant system may allow attackers to:

• Access sensitive grant award data
• Change payment instructions
• Impersonate recipients for fraud
• Wider Social Engineering: These domains could be paired with phishing emails referencing ongoing layoffs or grant disbursement delays.
• National Security: Attacks targeting federal infrastructure (even peripheral systems) could be leveraged for supply chain intrusion or reputational damage.

• All domains have been flagged and are under disruption process
• Threat indicators shared with partner intelligence ecosystems
• Continuous monitoring in place for reuse of assets (favicon hashes, JS signatures, etc.)
• The Department of Education Office of the Inspector General (OIG) has been notified of the campaign via the OIG Hotline: https://oig.ed.gov/oig-hotline

• Government employees and grant recipients should avoid clicking on links from unknown email sources and always verify URLs.
• Bookmark the official G5 portal: https://www.g5.gov
• Report suspicious emails or domains to your agency’s cybersecurity team or to [email protected]