INKY Blog | Eliminate email security threats

Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects

Written by Roger Kay | Jan 19, 2022 11:00:00 AM

During the back half of 2021, INKY began detecting phishing emails that impersonated the United States Department of Labor (DoL). Eventually, the campaign grew to hundreds of instances.

INKY caught enough of these attempts to do a thorough analysis of the campaign, which is set out in this edition of Fresh Phish.

Quick Take: Attack Flow Overview

  • Type: Phishing
  • Vector: Spoofed DoL senders and newly created look-alike domains
  • Payload: Malicious links in PDF attachments leading to credential harvesting sites
  • Techniques: Brand impersonation, mail server abuse, VIP impersonation
  • Platform: Google Workspace and Microsoft 365
  • Target: Google Workspace and Microsoft 365 users

The Attack

In this campaign, the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov, which is the real DoL site. A small subset was spoofed to look as if they came from no-reply@dol[.]com, which is, of course, not the real DoL domain.

The rest came from a set of newly created look-alike domains:

  • dol-gov[.]com
  • dol-gov[.]us
  • bids-dolgov[.]us

Distribution of spoofed domains

These phishing emails invited recipients to submit bids for “ongoing government projects" and claimed to be from a senior DoL employee responsible for procurement.

Email impersonating the U.S. DoL

Each phishing email had a three-page PDF attachment (shown below) with well-crafted DoL branding elements.

Page 1 of PDF attachment

Page 2 of PDF attachment

Page 3 of PDF attachment

Recipients were instructed to click the “BID” button on Page 2 to access DoL’s procurement portal. Behind the button was a malicious link. The links varied, but they all led to malicious domains that impersonated the DoL.

Here are the variants INKY detected:

  • opendolbid[.]us
  • usdol-gov[.]com
  • bid-dolgov[.]us
  • us-dolbids[.]us
  • dol-bids[.]us
  • openbids-dolgov[.]us
  • open-biddolgov[.]us
  • openbids-dolgov[.]com
  • usdol-gov[.]us
  • dolbids[.]com
  • openbid-dolgov[.]us
  • dol[.]global

What the victim saw when they reached the evil site was a set of fake instructions.

Fake instructions on how to submit a bid

 When the victim closed the instructions, what they saw was an identical copy of the real DoL website. The clever phishers had simply copied HTML and CSS from the real site and pasted it into the phishing site.

Identical copy of DoL site (except for red “Click here to bid” button)

Victims who clicked on the red “Click here to bid” button was presented with a credential harvesting form with instructions to sign in and bid using a Microsoft or other business email account.

Credential harvesting form

When an INKY engineer made the first attempt at entering fake credentials, the site displayed a fake incorrect credentials error. But behind the scenes, those fake credentials had already been harvested (and either stored on the malicious site or emailed to the phisher).

Fake incorrect credentials error

In a classic “blow-off,” when our engineer made a second attempt at entering fake credentials, they were redirected to the real DoL site. This nuanced touch, borrowed from con artistry that well predates the digital era, is designed to confuse the victim and delay the moment when they realize that they were taken.

The real DoL site

Techniques

In the majority of these attacks (the ones in which the spoofed sender was either no-reply@dol[.]gov or no-reply@dol[.]com), the phishers were able to send their phishing emails from abused servers nominally controlled by a non-profit professional membership group.

Received headers of a phish sent on New Year's Day

In this example’s received headers (the path of servers through which the email travelled), the email originated from 185.105.7.219, and the non-profit’s abused mail server accepted it before passing it off to Microsoft Outlook servers. This technique allowed the phishing email to receive a DKIM pass for the reputable group’s domain. An investigation into 185.105.7.219 revealed that the IP address was associated with albacasino[.]com, a new domain created barely a week prior.

In other cases, the phishers used newly created domains to both send initial phishing emails and host fake DoL sites. Newly created domains are a black-hat favorite because they are able to pass standard email authentication (SPF, DKIM, and DMARC). Since they are brand new, the domains represent zero-day vulnerabilities; they have never been seen before and typically do not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools. Without a blemish, these sites used in this exploit did not look malicious.

A WHOIS lookup surfaced a recently created phishing domain

Although several email security vendors use computer vision to detect impersonation sites, simplistic computer vision would not have helped in this case because the first thing the victim saw was the instructions, which concealed the actual impersonated site.

Recap of Techniques

  • Brand impersonation — is done seamlessly by phishers who copy and paste HTML and CSS directly from the real DoL site to spoof it
  • Abuse of a mail server — leverages a legitimate organization’s mail server to send phishing emails
  • Newly created domains — are not yet known by threat intelligence feeds and therefore pass rudimentary security checks
  • Credential harvesting — occurs when a victim tries to log into what they think is a real government site and ends up instead entering credentials into a form controlled by the phishers

Best Practices: Guidance and Recommendations

Official U.S. government domains usually end in .gov or .mil rather than .com or another suffix.

The U.S. government does not typically send out cold emails to solicit bids for projects.

Potential victims should be aware that it makes no sense to be asked to log in with email credentials to view a document on a completely different network.

For message administrators, it ought to be clear that SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.

Read more of INKY’s past Fresh Phish, and subscribe to receive our news and articles directly to your inbox.

----------------------

INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.