Phishing Scam - Attackers Impersonate US Dept. of Transport

Uploaded on 2021-09-23 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel, TECHNOLOGY--Hackers

Cyber criminals have impersonated the US Department of Transportation (USDOT) in a two-day phishing campaign that used a combination of tactics, including creating new domains and fake federal sites to appear to be legitimate and to evade  detection. The attackers then sent fake text messages suggesting you can get funds from the US infrastructure bill.

The basic pitch was, with a trillion dollars of government money flowing through the system, the targets, are being invited to bid for some of this Federal money. 

Between August 16th &18th, researchers at the specialist e-mail security provider INKY detected 41 phishing emails offering the bait  of bidding for projects benefiting from a $1 trillion infrastructure spending package recently passed by Congress, according to a report written by Roger Kay, VP of security strategy at  INKY.

The phishing campaign targeted companies across various industries including engineering, energy and architecture, sending potential victims an email in which they’re told that the USDOT is inviting them to submit a bid for a department project by clicking a big blue button with the words “Click Here to Bid.” 

To those familiar with government sites, the domain would appear suspicious given that government sites typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay reported. Unwitting victims who take the bait are led to a site “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure,'” Kay wrote. However, the base domain of the site was actually registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians... Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT.” Kay wrote.

Once on the fake bidding site, targets are then instructed to click on a “Bid” button and sign in with their email provider to connect to “the network.” It also instructed them to contact a fictitious person at another fake domain  with any questions.

Once victims closed the instructions, they were directed to an identical copy of the real USDOT website that the attackers created by copying HTML and CSS from the government’s site onto their phishing site. Once on the imposter USDOT site, targets are invited to click a red “Click Here to Bid” button that brings up a credential-harvesting form with a Microsoft logo and instructions to “Login with your email provider.”

A first attempt to enter credentials is met with a ReCAPTCHA challenge, often used by legitimate sites as an extra security device. However, attackers already captured credentials by this point, Kay noted. If targets make a second attempt to enter credentials, a fake error message appears, after which they are directed to the real USDOT website – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.

By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack sufficiently different from known strikes to evade standard detection methods.  

“Since they were brand new, the domains represented zero day vulnerabilities, they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools... Without a blemish, these sites did not look malicious.” Kay wrote.

INKY:         Threatpost:     CBS Chicago

You Might Also Read:

What Is The Best Defense Against Phishing?:

 

« 10,000 Cloud Security Certified Professionals
French Government Ministers Bugged »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

MarQuest

MarQuest

MarQuest provides services and systems to enhance network reliability and security.

Security Innovation

Security Innovation

Security Innovation is a leader in software security assessments and application security training to top organizations worldwide.

Kernelios

Kernelios

Kernelios is a simulator-based training center and an incubator for cyber experts worldwide.

CIRT.GY

CIRT.GY

CIRT-GY is the national Computer Incident Response Team for Guyana.

Secure Code Warrior

Secure Code Warrior

Secure your code from the start with gamified, scalable online secure coding training for software developers.

APERIO

APERIO

APERIO, the global leader in industrial data integrity, helps its customers drive profitability and sustainability while mitigating risk in their industrial operations.

SlowMist

SlowMist

SlowMist is a blockchain ecosystem security company providing cybersecurity audits and protection for leading digital asset exchanges, crypto wallets, public chains, and smart contracts.

Secmation

Secmation

Secmation are an agile engineering services firm providing advanced DoD level security design and consultation services for both commercial and defense hardware and software applications.

Technivorus Technology

Technivorus Technology

Technivorus is a deep-tech firm delivering customized Cybersecurity, Digital Marketing, Web & App Development, and multifarious IT services for businesses across the globe.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

Cryptr

Cryptr

Cryptr provides plug and play authentication to manage all your authentication strategies in one place with just a few lines of code.

Strivacity

Strivacity

Strivacity lets brands quickly add secure login and identity management capabilities to their customer-facing applications without tying up an army of developers or consultants to do it.

Nortal

Nortal

Nortal is a strategic digital transformation partner for leading companies and governments around the world.

Gcore

Gcore

Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions.

Seiber

Seiber

Seiber are a UK based Cyber Security company who provide consultancy and training services. Our objective is to stop bad things happening to good people.

International Maritime Cyber Security Organisation (IMCSO)

International Maritime Cyber Security Organisation (IMCSO)

The IMCSO mission is to be the standard in the maritime cyber security industry, a collective voice, working towards alignment and standardisation.