This super ambitious phishing campaign impersonated the US Department of Labor
A new phishing campaign has been making the rounds online that convincingly impersonates the US Department of Labor (DoL).
Discovered by the email security company Inky, the majority of phishing attempts used in the campaign spoof sender email addresses to make them appear as if they came from no-reply@dol[.]gov.
While this is the DoL’s real email address, a small subset of email addresses were spoofed to look as if they came from no-reply@dol[.]com instead though the attackers also used other newly created look-alike domains such as dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.
Each of the phishing emails sent as part of the campaign invite recipients to submit bids for “ongoing government projects” and claimed to be from a senior DoL employee responsible for procurement. These emails also contained a three-page PDF attachment with well-crafted DoL branding elements to make them appear more legitimate.
Submitting a bid
Recipients interested in participating in the government projects advertised in this phishing campaign were instructed to click on the “BID” button on page two of the attached PDF to access the DoL’s procurement portal. However, doing so took them to a malicious domain that impersonated the DoL.
Upon reaching the malicious domain, recipients are greeted with a set of fake instructions on how the DoL’s bidding process works. The attackers behind this campaign are quite clever though as closing the instructions takes a user to an identical copy of the real DoL website as the HTML and CSS from the real site was copied and pasted into the phishing site.
Those who clicked on the red “Click here to bid” button were then presented with a credential harvesting form with instructions to sign in and bid using Microsoft Outlook or another business email service. When one of Inky’s engineers tried to enter fake credentials, the site displayed a fake incorrect credentials error when in reality, these fake credentials had already been harvest by the attackers. The second time though, the engineer was redirected to the real DoL site to add authenticity to the campaign.
Go to Source