Organizations were targeted by a group of malicious actors in the fall of 2021 with an advanced phishing campaign impersonating the US Department of Transportation. The attack was quite timely, with the $1 Trillion USD infrastructure bill having passed just weeks earlier.
In a so-called flash attack, the malicious actors had registered a domain resembling the legitimate one, and sent out emails inviting the recipient to bid on the procurement offer.
The email contained a link leading to a poorly copied version of the legitimate website used by the US Department of Transportation. To access the bidding document, the recipient was urged to enter their credentials, after which they were redirected to the legitimate site. Other similar cases of impersonation were also seen during the fall with e.g. the US Department of Labor.
Not unique to this attack, the bidding proposal vector is often used in phishing campaigns originating from breached business emails. This approach is effective in luring recipients into clicking on links by tempting people with potential new opportunities to work with large companies.
The 2022 version is a whole other level of dangerous
This week, we spotted a new phishing campaign in the wild. It bears close resemblance to the one presented above, but with important modifications.
The initial email originates from the domain “dotusa(.)gov” and welcomes the recipient to bid for ongoing governmental projects. The email looks slightly more legitimate than its counterpart from last fall, with added logos and better formatting. The “Company:” -field is also automatically populated by the recipient's domain to increase legitimacy.
The email contains a PDF - filetype attachment. It’s not a perfect replica, but good enough to fool eager bidders.
On the third page of the document, a large “BID” button is found, which takes the potential victim to the credential harvesting page. This credential harvesting page is an especially well-crafted replica of the real website hosted by the US Department of Transportation. The video below shows the credential harvesting flow from start to finish.
A big flashing red button is found in the middle of the page, which takes the potential victim to a form requesting credentials. As usual, the credentials are not accepted for the first few tries which improves data quality by better ensuring the victim has typed in the correct password, or potentially even two different passwords they’re using; each one has value to attackers. Afterwards, the victim is shown a notification of successful registration, informing that they’ll be contacted by email in the future. Last but not least, the victim is redirected to the legitimate site, in hopes that they won’t notice they’ve just been scammed.
It is extremely uncommon for malicious actors to craft such a thorough copy of the legitimate site. Most credential harvesting pages only have a few functioning links required for the credential harvesting flow. To overcome a potential victim's spider sene, the attacker can let them click around the spoofed site to dampen suspicions.
Here are some side-by-side comparisons between the faked and legitimate sites. Can you spot the fake one?
Spoiler alert: The left one is fake in all of the above pictures. At a quick glance, the faked one seems almost more legitimate in some of the examples.
A curious detail is that all the documents, even budget highlights, from past decades are present on the faked site.
Staying off the hook
The malicious actors have utilized spoofing to make it seem like the initial email originated from a governmental domain with the “.gov” top level domain. Using the search engine of your choosing to check the sending domain would however return no results a domain does not exist. Government sites usually contain information about which domains they use for communications.
Should the first clues have been missed, the age-old trick of hovering on the link in the attachment would reveal that it does not lead to an official government site. Funnily enough, as explained by the safety banner found on the malicious site, official United States government websites utilise the .gov top level domain.
