Threat players impersonated the US Department of Transportation (USDOT) in a 2-day phishing campaign that used a combination of tactics – including creating new domains that mimic Federal sites so as to appear to be legitimate – to evade security detections.
Threat players dangled the lure of receiving funds from the $1t infrastructure bill & created new domains mimicking the real Federal site.
$1t Infrastructure Package
Between Aug. 16-18, researchers at e-mail security provider INKY detected 41 phishing emails dangling the lure of bidding for projects benefitting from a $1t infrastructure package recently passed by the US Congress, according to a report written by INKY’s Roger Kay, VP of Security Strategy, that was published on Wed.
The campaign – which targeted companies in industries such as engineering, energy & architecture that likely would work with the USDOT – sends potential victims an initial email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.”
Registered by Amazon
The emails themselves are launched from a domain, transportationgov[.]net, that was registered by Amazon on Aug. 16, Kay stated. The date of its creation – revealed by WHOIS – seems to signal that the site was set up specifically for the phishing campaign.
To anyone familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay observed.
If people take the bait & click, they are led to a site, transportation.gov.bidprocure.secure.akjackpot[.]com, “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ & ‘secure,’” Kay wrote. However, the base domain of the site, akjackpot[.]com, was registered in 2019 & “hosts what may or may not be an online casino that appears to cater to Malaysians,” he wrote.
“Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT,” Kay noted.
Once on the fake bidding site, targets are then instructed to click on a “Bid” button and sign in with their email provider to connect to “the network.” It also instructed them to contact a fictitious person at another fake domain – specifically, mike.reynolds@transportationgov[.]us – with any questions.
Once victims closed the instructions, they were directed to an of the real USDOT website that the attackers created by copying HTML & CSS from the government’s site onto their phishing site.
Threat players also copied & pasted in a real warning about how to verify actual US govt. sites, which could alert savvy victims that they were being scammed by realising that the phishing site domain ended in .com rather than .gov or .mil, Kay noted.
Once on the imposter USDOT site, targets are invited to click a red “Click Here to Bid” button that brings up a credential-harvesting form with a Microsoft logo & instructions to “Login with your email provider.”
A 1st attempt to enter credentials is met with a ReCAPTCHA challenge – often used by legitimate sites as an extra security device. However, attackers already captured credentials by this point, Kay noted.
If targets make a 2nd attempt to enter credentials, a fake error message appears, after which they are directed to the real USDOT website – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.
Though attackers didn’t use any particular new phishing tricks in their campaign, it was the combination of tactics in a new pattern that allowed them to get the emails through secure email gateways, Kay stated.
“By creating a new domain, exploiting current events, impersonating a known brand, & launching a credential-harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods,” he wrote.
Using newly created domains allowed the phishing mails to slip through standard email authentication, i.e., SPF, DKIM, & DMARC, he observed.
“Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before & did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools,” Kay wrote.
“Without a blemish, these sites did not look malicious.”