Phishing Scam - Attackers Impersonate US Dept. of Transport

Uploaded on 2021-09-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel, TECHNOLOGY--Hackers

Cyber criminals have impersonated the US Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics, including creating new domains and fake federal sites to appear to be legitimate and to evade  detection. The attackers then sent fake text messages suggesting you can get funds from the US infrastructure bill.

The basic pitch was, with a trillion dollars of government money flowing through the system, the targets, are being invited to bid for some of this Federal money. 

Between August 16th &18th, researchers at the specialist e-mail security provider INKY detected 41 phishing emails offering the bait  of bidding for projects benefiting from a $1 trillion infrastructure spending package recently passed by Congress, according to a report written by Roger Kay, VP of security strategy at  INKY.

The phishing campaign targeted companies across various industries including engineering, energy and architecture, sending potential victims an email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.” 

To those familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay reported. Unwitting victims who take the bait are led to a site “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure,'” Kay wrote. However, the base domain of the site was actually registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians... Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT.” Kay wrote.

Once on the fake bidding site, targets are then instructed to click on a “Bid” button and sign in with their email provider to connect to “the network.” It also instructed them to contact a fictitious person at another fake domain  with any questions.

Once victims closed the instructions, they were directed to an identical copy of the real USDOT website that the attackers created by copying HTML and CSS from the government’s site onto their phishing site. Once on the imposter USDOT site, targets are invited to click a red “Click Here to Bid” button that brings up a credential-harvesting form with a Microsoft logo and instructions to “Login with your email provider.”

A first attempt to enter credentials is met with a ReCAPTCHA challenge, often used by legitimate sites as an extra security device. However, attackers already captured credentials by this point, Kay noted. If targets make a second attempt to enter credentials, a fake error message appears, after which they are directed to the real USDOT website – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.

By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack sufficiently different from known strikes to evade standard detection methods.  

“Since they were brand new, the domains represented zero day vulnerabilities, they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools... Without a blemish, these sites did not look malicious.” Kay wrote.

INKY:         Threatpost:     CBS Chicago

You Might Also Read:

What Is The Best Defense Against Phishing?:

 

« 10,000 Cloud Security Certified Professionals
French Government Ministers Bugged »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

National Trading Standards eCrime Team (NTSeCT) - United Kingdom

The National Trading Standards eCrime Team tackles online consumer scams, rip-offs and fraud, as well as those committed by text or email.

ProfitBricks

ProfitBricks

ProfitBricks is a secure cloud computing infrastructure-as-a-service (IaaS) solution.

Homeland Security Investigations (HSI)

Homeland Security Investigations (HSI)

Homeland Security Investigations (HSI) is a premier federal law enforcement agency within the Department of Homeland Security (DHS).

ShadowDragon

ShadowDragon

ShadowDragon develops digital tools that simplify the complexities of modern investigations that involve multiple online environments and technologies.

Calero Software

Calero Software

Calero is a leading global provider of Communications and Cloud Lifecycle Management (CLM) solutions designed to simplify the management of voice, mobile and other unified communications services.

Zuratrust

Zuratrust

Zuratrust provide protection for all kinds of email related cyber attacks.

Automox

Automox

Remediate vulnerabilities 30X faster than the industry norm – and dramatically reduce your risk with simple, fast, and cloud-native endpoint hardening from Automox.

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

CloudBolt Software

CloudBolt Software

CloudBolt provide solutions for your toughest cloud challenges. From automation, to cost and security, and hybrid IT governance — we have you covered.

FPT Software

FPT Software

As a leading technology service provider, FPT assists customers of all sizes and from any industries in implementing and adapting digital technologies including cybersecurity.

OnSecurity

OnSecurity

OnSecurity replaces the overhead of traditional penetration testing firms with a simple online interface, making it easy to book tests as and when needed.

Mode Solutions

Mode Solutions

Mode guarantee IT performance where you need it most, creating seamless and secure solutions that will alleviate pressure from your business.

Fireblocks

Fireblocks

Fireblocks is a digital asset security platform that helps financial institutions protect digital assets from theft or hackers.

Aeries Technology

Aeries Technology

Aeries is a technology services organization offering capabilities in Technology Services, Digital Transformation, and Business Process Management.

Vambrace Cybersecurity

Vambrace Cybersecurity

Vambrace is an experienced cybersecurity consultancy and operations outsourcer helping you to secure your business in an increasingly-hostile cyber environment.

Access Talent Today

Access Talent Today

Access Talent Today is an AI/ML and cyber security talent provider.