COVID-19 Benefits Phish: New Mexico Department of Labor

By Noah Mizell and Schyler Gallant, Cofense Phishing Defense Center

During the COVID-19 pandemic there have been many phishing lures promising payouts or benefits to gain credentials to websites. An example of this threat is a phish being used to collect on benefits by impersonating the New Mexico Department of Labor. The Cofense Phishing Defense Center (PDC) has observed a phishing campaign that aims to harvest New Mexico Department of Labor credentials by preying on individuals wanting to see if they are eligible for COVID-19 benefits.

Graphical user interface, text, application, email Description automatically generated

Figure 1: Email Body

While the email appears to come from the New Mexico Department of Labor, the email address is for the domain showingassistant[.]com, seen in Figure 1. Looking at the email body, the email states that in New Mexico extra benefits can be paid out due to the COVID-19 pandemic. To determine if a person is eligible and, if so, how much they may receive, they are obliged to fill out an online form to be notified via letter that’s followed by a debit card in the coming weeks. The email includes a link to the form and opt-in updates from the New Mexico Department of Labor. This is probably done to boost legitimacy. As seen in Figure 1, the links do not lead to a legitimate location.

Graphical user interface Description automatically generated

Figure 2: Phishing Page

After clicking on the link from the email, Figure 2 shows the phishing landing page. It appears to the user as if they are on the New Mexico Department of Workforce Solutions login page. When researching the legitimate page, there are some similarities, but this spoofed page is missing some information. This page includes the username and password fields, along with a checkbox to acknowledge they have read and agreed to the terms of use before clicking on the login button.

Graphical user interface, text, application Description automatically generated

Figure 3: Terms of Use

In Figure 3, the supposed Terms of Use can pop up for the user to read before clicking the checkbox. This message says that the system contains U.S. government information for authorized users only. This is clearly a copy of the terms from the legitimate site, an indicator that the threat actor is trying to ensure the page can be trusted by their recipient.

Graphical user interface Description automatically generated

Figure 4: Phishing Page

After logging in with the username and password provided, Figure 4 shows that the user is now asked to complete the following fields requiring email address and Social Security number while again agreeing to the terms of use before proceeding to the system login. The addition of these fields allows the threat actors to attain more information. Once the information is entered, the user is finally redirected to the real New Mexico Department of Labor website.

Campaigns like this are used to gain confidence via a legitimate state system. This phish was also successful at getting through secure email gateways (SEGs) and into the inbox of targets. Cofense can help mitigate these types of clever ploys. Cofense products catch and mitigate phish via products for comprehensive phishing detection and response. Contact us to learn more.

Indicators of Compromise IP
hxxps://applogin[.]nudm[.]org/vc.htm 69[.]163[.]155[.]177
hxxp://gilsewing[.]com/.well-known/mx/NMDWS[.]htm 69[.]27[.]47[.]10
All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.
The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Cybersecurity First – It’s Everyone’s Job!

By Tonia Dudley

Cybersecurity goes beyond October

While we celebrate and bring attention to cybersecurity for the month of October, cybersecurity should always be top of mind. Now that you’ve brought attention to your team, and the ability to host events, find ways to host these monthly throughout the year. Reach out to department heads to speak at their monthly or quarterly all-hands meetings and adapt the topics to address their specific risks. For instance, your finance team is high on the list of top phishing targets. Work with your security operations team to get copies of real emails relevant to their department.

Start the cybersecurity journey early with your employees or teammates. Work with your human resources team to get involved in the onboarding process. Adapt your phishing simulation program to send new hires their first campaign within the first 30 to 60 days of joining the organization.

When it comes to adding new technology or updating your business processes, find ways to incorporate security from the beginning. Work with your infosec teams to include a security engineer or security architect that can assist with ensuring you have security built in upfront, protecting your organization from potential vulnerabilities or a data breach. Making even small system configuration changes can go a long way to reduce the risk of a security incident.

As we saw earlier this year, the White House published the Executive Order on Improving the Nation’s Cybersecurity. One of the sections of this EO is focused on “Enhancing Software Supply Chain Security.” As we continue to learn more about the SolarWinds breach and the extended impacts this has on many organizations, it’s not surprising to see this focus being given to software security. If your organization hasn’t yet adopted a Secure Software Development Lifecycle that embeds security into the build process, it’s a great time to start. A great place to start with your software development team is the OWASP Top 10.