Phishing Scam - Attackers Impersonate US Dept. of Transport

Uploaded on 2021-09-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel, TECHNOLOGY--Hackers

Cyber criminals have impersonated the US Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics, including creating new domains and fake federal sites to appear to be legitimate and to evade  detection. The attackers then sent fake text messages suggesting you can get funds from the US infrastructure bill.

The basic pitch was, with a trillion dollars of government money flowing through the system, the targets, are being invited to bid for some of this Federal money. 

Between August 16th &18th, researchers at the specialist e-mail security provider INKY detected 41 phishing emails offering the bait  of bidding for projects benefiting from a $1 trillion infrastructure spending package recently passed by Congress, according to a report written by Roger Kay, VP of security strategy at  INKY.

The phishing campaign targeted companies across various industries including engineering, energy and architecture, sending potential victims an email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.” 

To those familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay reported. Unwitting victims who take the bait are led to a site “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure,'” Kay wrote. However, the base domain of the site was actually registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians... Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT.” Kay wrote.

Once on the fake bidding site, targets are then instructed to click on a “Bid” button and sign in with their email provider to connect to “the network.” It also instructed them to contact a fictitious person at another fake domain  with any questions.

Once victims closed the instructions, they were directed to an identical copy of the real USDOT website that the attackers created by copying HTML and CSS from the government’s site onto their phishing site. Once on the imposter USDOT site, targets are invited to click a red “Click Here to Bid” button that brings up a credential-harvesting form with a Microsoft logo and instructions to “Login with your email provider.”

A first attempt to enter credentials is met with a ReCAPTCHA challenge, often used by legitimate sites as an extra security device. However, attackers already captured credentials by this point, Kay noted. If targets make a second attempt to enter credentials, a fake error message appears, after which they are directed to the real USDOT website – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.

By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack sufficiently different from known strikes to evade standard detection methods.  

“Since they were brand new, the domains represented zero day vulnerabilities, they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools... Without a blemish, these sites did not look malicious.” Kay wrote.

INKY:         Threatpost:     CBS Chicago

You Might Also Read:

What Is The Best Defense Against Phishing?:

 

« 10,000 Cloud Security Certified Professionals
French Government Ministers Bugged »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

City Security Magazine

City Security Magazine

City Security magazine helps promote best security practices and keep businesses informed on a wide variety of security-related issues.

Hitachi ID Systems

Hitachi ID Systems

Hitachi ID Systems offers comprehensive identity management and access governance, privileged access management and password management solutions.

National Cyber Security Centre Finland (NCSC-FI)

National Cyber Security Centre Finland (NCSC-FI)

The NCSC-FI develops and monitors the operational reliability and security of communications networks and services in Finland.

InfoSec World

InfoSec World

InfoSec World conference and expo covers all aspects of information security with a broad agenda of sessions on key security issues.

MadSec Security

MadSec Security

MadSec Security is a leading consulting company whose expertise are information and cyber security.

ISARA Corp

ISARA Corp

ISARA Corporation is a security solutions company specializing in creating class-defining quantum-safe cryptography for today's computing ecosystems.

DeviceAssure

DeviceAssure

DeviceAssure enables organizations to reliably identify counterfeit and non-standard devices with a real-time check on a device's authenticity.

Jacobs

Jacobs

Jacobs is at the forefront of the most important security issues today. We are inspired to be the best and deliver innovative, mission-focused outcomes that matter to our clients.

Polygraph

Polygraph

Polygraph monitors the activities of click fraud gangs, including how they operate, who they target, the techniques they use, and how to detect their fraud.

OSP Cyber Academy

OSP Cyber Academy

OSP Cyber Academy are a managed service provider of cyber, information security and data protection training.

Theta

Theta

Theta is a New Zealand owned technology consultancy. Our team of over 330 experienced professionals help organisations transform with technology.

ABPSecurite

ABPSecurite

ABPSecurite is a leading value-added distributor and a network performance solutions provider.

Thero6

Thero6

Thero6 develop dynamic financial analysis algorithms that help prevent coin collapses and theft of cryptocurrency funds by identifying the transaction absolutely throughout the chain.

Swick Technologies (SWICKtech)

Swick Technologies (SWICKtech)

SWICKtech offer IT managed services to increase IT security, stability, and performance for your organization.

Quantum Bridge

Quantum Bridge

Our unbreakable key distribution technology ensures the highest level of protection for your critical infrastructure and sensitive data in an evolving digital landscape.

CQURE

CQURE

CQURE is divided into four main cybersecurity excellence areas: CQURE Consulting, CQURE Academy, CQURE Knowledge Sharing and CQURE Cyber Lab.