Dept. of Labor Phish Appears for the Month of December

By Alex Geoghagan, Cofense Phishing Defense Center

Impersonating a government entity is a relatively common practice for threat actors to attempt. Through this impersonation a threat actor seeks to gain trust or authority in an interaction with a potential victim. Recently, the Cofense Phishing Defense Center (PDC) has analyzed a phishing campaign that impersonates the United States Department of Labor. In this specific campaign, the threat actor also tries to push a financial incentive with the lure of an “INVITATION FOR BID” through the Department of Labor.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the threat actor was able to spoof the dol.gov from address to increase the level of authenticity. Seen in the body, the email itself is structured to look like an RFP for “ongoing government projects.” The recipient is prompted to open a PDF attachment for information and directions for the bid invitation. A recipient who opens the attachment without realizing that this is not a legitimate government communication will be presented with a PDF document that contains a link to the phishing website.

Diagram Description automatically generated

Figure 2: PDF Attachment

The PDF, shown in Figure 2, is carefully crafted to lend credence to the scam, as well as to apply pressure with time sensitivity by reminding them of a “10:00 A.M.” deadline. It contains a list of instructions for filling out information that will allegedly be used to apply for the bid, however, this is simply done to make the phish appear to be more legitimate. The “BID” button contained within the PDF is the true goal of the threat actor, as clicking on it will direct the recipient to a fraudulent Department of Labor site.

Graphical user interface, website Description automatically generated

Figure 3: Phishing Page

The fraudulent page, Figure 3, is almost a 1:1 of the legitimate Department of Labor’website at dol.gov. Even with the domain, openbid-dolgov[.]us, the threat actor crafted it to be believable to the untrained eye. Upon reaching this page there will be a small popup that reiterates the instructions that are contained in the PDF. This page also contains a “Click here to bid” button that takes the recipient to the phishing page requesting their credentials, as seen in Figure 4.

Figure 4: Phishing Page

Oddly enough, the threat actor has specifically asked for either their Microsoft Office 365 credentials OR their business email credentials (widening the net to collect anything the user might be willing to divulge). Once the credentials are submitted, the user is redirected to practically the exact same page, but it is asking the user to solve a captcha instead of signing in. An interesting note added to the page is reassuring the recipient their data will be cleared within five minutes, most likely mimicking the legitimate bidding site.

A communication appearing to come from a government source may also be seen as more official, especially if the attacker is able to spoof a .gov email address. With how carefully crafted it is, this phish can pose a threat to any email environment, even ones protected by a secure email gateway (SEG). With the help of watchful users reporting suspicious email, analysts at the PDC can quickly identify threats like this one, and enterprises can benefit from our entire view of the threat. Reach out to us to learn how we can help you.

Indicators of Compromise IP
hXXps://openbid-dolgov[.]us 199.231.162.106

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.

Phishing Campaign Leverages Covid-Induced Adjustments to Banking Practices

By Abhiram Jayakumar, Cofense Phishing Defense Center

For the past many months, covid-themed phishing emails have convinced users to relinquish valuable credentials. Phish impersonating major banking firms have been around for quite some time, but they are always evolving. The Cofense Phishing Defense Center (PDC) has observed a recent phishing campaign that focused on harvesting New Zealand’s ASB banking credentials via covid-themed lures. The pandemic is affecting the lives of everyone in the world and threat actors are attempting to hook their targets by relying on changes in banking practices related to the pandemic.

Graphical user interface, text, application Description automatically generated

Figure 1: Email Body

Seen in Figure 1, the first flaws evident with this phish is that the email is obviously not from an official ASB address. The body of the email seems somewhat legitimate at first glance with a convincing email signature and an apparent reference ID. The most telling sign that this email is a phish is how the link within the body is weirdly formatted. The email prompts the user to click on the URL so they can update the so-called covid “Code of Banking Practices.” Hovering over the link will reveal the embedded malicious URL with the domain cleusbmontreal[.]ca.

A screenshot of a computer Description automatically generated with medium confidence

Figure 2: Phishing Page

Upon clicking the link, the user is directed to the webpage in Figure 2. It’s a near-exact replica of the legitimate ASB login page. All the icons, with the exception of the login button, redirect to legitimate ASB webpages. This is a simple – but often effective – trick implemented by the threat actor.

A screenshot of a computer Description automatically generated with medium confidence

Figure 3: OTP Page

Once the login button is clicked, the target is taken to the page shown in Figure 3 where they are prompted for a one-time password (OTP). The threat actor may have tools to automatically use this information in real time. It may also be possible that the user received an OTP triggered by the attacker’s tools during a legitimate transaction initiated by them after harvesting credentials through the malicious webpage. Once the target provides their credentials, and OTP, they are then redirected to the authentic ASB home page.

This is another example of attackers leveraging covid and a well-designed phishing page to launch a dangerous campaign, one that found its way into inboxes under SEG (secure email gateway) protection. Cofense, and well-conditioned users, contained what standard security controls couldn’t. Contact us to learn how we can help to better protect your organization.

Indicators of Compromise IP
hxxps://cleusbmontreal[.]ca 104[.]21[.]46[.]246
hxxps://conz-aso-7725[.]heavy[.]jp 118[.]27[.]125[.]223
hxxps://photos[.]azyya[.]com/.co.nz/.respond[.]abs[.]co[.]nz-NZ70194135/auth[.]php 95[.]216[.]33[.]120

All third-party trademarks referenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of their respective holders, and use of these trademarks in no way indicates any relationship between Cofense and the holders of the trademarks. Any observations contained in this blog regarding circumvention of end point protections are based on observations at a point in time based on a specific set of system configurations. Subsequent updates or different configurations may be effective at stopping these or similar threats. Past performance is not indicative of future results.

 

The Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos displayed on this blog are registered trademarks or trademarks of Cofense Inc.