Scammers dangled the lure of receiving funds from the $1 trillion infrastructure bill and mimicked the legitimate federal site in a recent phishing scam.
An Elaborate Phishing Scam
In a two-day phishing scam, attackers impersonated the U.S. Department of Transportation (USDOT). They used a mix of strategies – including creating new domains that mimic federal sites so as to seem legitimate and avoid being detected.
According to a report written by INKY’s Roger Kay, vice president of security strategy, researchers detected 41 phishing emails dangling the lure of bidding for projects to benefit from a $1 trillion infrastructure package recently passed by Congress between August 16-18.
The malicious campaign targeted companies that would likely work with the USDOT, from industries such as engineering, energy, and architecture. The initial phishing email told the recipient that the U.S. Department of Transportation invited them to place a bid for a department project by clicking a “Click Here to Bid” big blue button.
The emails are launched from a domain called transportationgov[.]net, which Amazon registered on Aug. 16, Kay noted. Its creation date was revealed by WHOIS and appears to indicate that the site was brought into existence specifically for this phishing scam.
The domain would raise red flags to anyone familiar with government websites, as they typically have a .gov suffix. However, “to someone reading through quickly, the domain name might seem at least somewhere in the ballpark of reality,” Kay observed.
Deceiving Unsuspecting Targets
Once targets take the bait and click, they land on a site, transportation.gov.bidprocure.secure.akjackpot[.]com, “with reassuring-sounding subdomains like ‘transportation,’ ‘gov,’ and ‘secure,’” Kay wrote. However, the base domain of the site, akjackpot[.]com, was actually registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians,” he wrote.
“Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT,” Kay added.
On the fake bidding website, targets are asked to click on a button that says “Bid,” sign in with their email provider to connect to “the network,” and to contact “mike.reynolds@transportationgov[.]us” if there were any questions. However, transportationgov[.]us was another newly created domain registered by the phishers.
When the victim closed the instructions, they were directed to an identical replica of the legitimate website for USDOT. The scammers simply copied HTML and CSS from the real site and pasted it into the phishing site.
In an ironic twist, the phishers also copied and pasted in a real warning about how to verify actual U.S. government sites. The victim might have noticed that something was up if they had realized that the phishing site domain ended in .com rather than .gov or .mil.
Then, targets are invited to click a red “Click Here to Bid” button that opens a credentials-stealing form with a Microsoft logo and instructions to “Login with your email provider.” The first attempt to enter the username and password is met with a ReCAPTCHA, often used by legitimate sites for extra security. However, at this point, hackers had already snatched the credentials, Kay said.
If the target makes a second attempt to enter their credentials, a fake error message is displayed, and they are directed to the real USDOT site – “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” Kay wrote.
According to Kay, threat actors behind this elaborate phishing scam didn’t use any particular new phishing trick but a combination of tactics to get the malicious emails through secure email gateways.
“By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods,” he added.
Using freshly created domains, in particular, allowed the phishing emails to slip through standard email authentication, i.e., SPF, DKIM, and DMARC, he noted.
“Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools,” Kay wrote. “Without a blemish, these sites did not look malicious.”