Phishing Scam - Attackers Impersonate US Dept. of Transport

Cyber criminals have impersonated the US Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics, including creating new domains and fake federal sites to appear to be legitimate and to evade  detection. The attackers then sent fake text messages suggesting you can get funds from the US infrastructure bill.

The basic pitch was, with a trillion dollars of government money flowing through the system, the targets, are being invited to bid for some of this Federal money. 

Between August 16th &18th, researchers at the specialist e-mail security provider INKY detected 41 phishing emails offering the bait  of bidding for projects benefiting from a $1 trillion infrastructure spending package recently passed by Congress, according to a report written by Roger Kay, VP of security strategy at  INKY.

The phishing campaign targeted companies across various industries including engineering, energy and architecture, sending potential victims an email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.” 

To those familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay reported. Unwitting victims who take the bait are led to a site “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure,'” Kay wrote. However, the base domain of the site was actually registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians... Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT.” Kay wrote.

Once on the fake bidding site, targets are then instructed to click on a “Bid” button and sign in with their email provider to connect to “the network.” It also instructed them to contact a fictitious person at another fake domain  with any questions.

Once victims closed the instructions, they were directed to an identical copy of the real USDOT website that the attackers created by copying HTML and CSS from the government’s site onto their phishing site. Once on the imposter USDOT site, targets are invited to click a red “Click Here to Bid” button that brings up a credential-harvesting form with a Microsoft logo and instructions to “Login with your email provider.”

A first attempt to enter credentials is met with a ReCAPTCHA challenge, often used by legitimate sites as an extra security device. However, attackers already captured credentials by this point, Kay noted. If targets make a second attempt to enter credentials, a fake error message appears, after which they are directed to the real USDOT website – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.

By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack sufficiently different from known strikes to evade standard detection methods.  

“Since they were brand new, the domains represented zero day vulnerabilities, they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools... Without a blemish, these sites did not look malicious.” Kay wrote.

INKY:         Threatpost:     CBS Chicago

You Might Also Read:

What Is The Best Defense Against Phishing?:

 

« 10,000 Cloud Security Certified Professionals
French Government Ministers Bugged »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

Resecurity, Inc.

Resecurity, Inc.

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Pen Test Partners LLP

Pen Test Partners LLP

Pen Test Partners provides penetration testing, security assessment and training services.

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

National Agency for Information & Communication Technologies (ANTIC) - Cameroon

ANTIC is responsible for regulating the activities of electronic security and regulation of the Internet in Cameroon.

Threat Intelligence

Threat Intelligence

Threat Intelligence is a specialist security company providing penetration testing, threat intelligence, incident response and training services.

Farsight Security

Farsight Security

Farsight Security provides the world’s largest real-time actionable threat intelligence on how the Internet is changing.

SmartCyber

SmartCyber

SmartCyber is a company specializing in custom IT projects and Cybersecurity.

Identity Defined Security Alliance (IDSA)

Identity Defined Security Alliance (IDSA)

IDSA is a group of identity and security vendors, solution providers and practitioners that acts as an independent source of education and information on identity-centric security strategies.

Industrial Cybersecurity Center (CCI)

Industrial Cybersecurity Center (CCI)

CCI is the first center of its kind that comes from industry without subsidies, independent and non-profit, to promote and contribute to the improvement of Industrial Cybersecurity.

HardSecure

HardSecure

Hardsecure supports organizations to face security threats through the adoption of cybersecurity capabilities that guarantee 360º monitoring, visibility, mitigation, and blocking.

Dynics

Dynics

The Dynics ICS-Defender is an Industrial Control System Security Appliance for OT or OT/IT convergent environments.

Chainlink

Chainlink

Chainlink expands the capability of smart contracts by enabling access to real-world data and systems without sacrificing the security and reliability guarantees inherent to blockchain technology.

XioGuard

XioGuard

XioGuard is a managed security service for 360-degree cybersecurity coverage, protecting the entire attack surface, increasing performance, reducing cost, and simplifying operations.

Phished

Phished

Phished is an AI-driven platform that focuses on the human side of cybersecurity. By combining fully automated training software with personalised, realistic simulations of cyberattacks.

Anjuna Security

Anjuna Security

Software from Anjuna Security effortlessly enables enterprises to safely run even their most sensitive workloads in the public cloud.

Aegis Cyber Defense Systems

Aegis Cyber Defense Systems

AEGIS is a powerful cybersecurity tool that can help protect your devices and networks from cyber threats, and increase performance.

Fairly AI

Fairly AI

Fairly AI is on a mission to democratize safe, secure, and compliant AI across the enterprise.

SecuCenter

SecuCenter

Secucenter is a trusted partner for SOC services, offering security expertise in a cost-effective way.