Figure 1: Email BodySeen in Figure 1, the threat actor was able to spoof the dol.gov from address to increase the level of authenticity. Seen in the body, the email itself is structured to look like an RFP for “ongoing government projects.” The recipient is prompted to open a PDF attachment for information and directions for the bid invitation. A recipient who opens the attachment without realizing that this is not a legitimate government communication will be presented with a PDF document that contains a link to the phishing website.
Figure 2: PDF AttachmentThe PDF, shown in Figure 2, is carefully crafted to lend credence to the scam, as well as to apply pressure with time sensitivity by reminding them of a “10:00 A.M.” deadline. It contains a list of instructions for filling out information that will allegedly be used to apply for the bid, however, this is simply done to make the phish appear to be more legitimate. The “BID” button contained within the PDF is the true goal of the threat actor, as clicking on it will direct the recipient to a fraudulent Department of Labor site.
Figure 3: Phishing PageThe fraudulent page, Figure 3, is almost a 1:1 of the legitimate Department of Labor’website at dol.gov. Even with the domain, openbid-dolgov[.]us, the threat actor crafted it to be believable to the untrained eye. Upon reaching this page there will be a small popup that reiterates the instructions that are contained in the PDF. This page also contains a “Click here to bid” button that takes the recipient to the phishing page requesting their credentials, as seen in Figure 4.
Figure 4: Phishing PageOddly enough, the threat actor has specifically asked for either their Microsoft Office 365 credentials OR their business email credentials (widening the net to collect anything the user might be willing to divulge). Once the credentials are submitted, the user is redirected to practically the exact same page, but it is asking the user to solve a captcha instead of signing in. An interesting note added to the page is reassuring the recipient their data will be cleared within five minutes, most likely mimicking the legitimate bidding site. A communication appearing to come from a government source may also be seen as more official, especially if the attacker is able to spoof a .gov email address. With how carefully crafted it is, this phish can pose a threat to any email environment, even ones protected by a secure email gateway (SEG). With the help of watchful users reporting suspicious email, analysts at the PDC can quickly identify threats like this one, and enterprises can benefit from our entire view of the threat. Reach out to us to learn how we can help you.
|Indicators of Compromise||IP|