By: Cofense Intelligence
Threat actors are running a series of campaigns spoofing several departments of the United States government. The emails claim to request bids for government projects but lead victims to credential phishing pages instead. These campaigns have been ongoing since at least mid-2019 and were first covered in our Flash Alert in July 2019. These advanced campaigns are well crafted, have been seen in environments protected by secure email gateways (SEGs), are very convincing, and appear to be targeted. They have evolved over time by improving the email contents, the PDF contents, and the appearance and behavior of the credential phishing pages.
Email Contents: More Convincing, More Evasive
PDF Contents: Lures Appear More Authentic
PDFs attached to these emails have changed over time. Within recent emails, the first page (seen in Figure 2) is typically the logo of the spoofed government department with additional information about the bid. The second page (shown in Figure 3) typically contains information about the process and will lure victims into clicking the link. In older versions, the PDFs were usually 1 or 3 pages. They contained more technical information about the bidding process, a signature of the spoofed sender, and a watermark of the spoofed department.
Credential Phishing Page: Improved “Login” Process
In each case, the initial page of the phish is a copy of the home page of the spoofed department with the addition of a single red button encouraging victims to click it in order to bid. In cases spoofing the Department of Labor, the spoofed page (Figure 6) is a near duplicate of the legitimate DoL page (Figure 5) from about a year ago, but shows the added button. When victims click the link, they are taken to a different page on the same malicious domain (Figure 7), or in the case of some of the older pages, a popup window showing a page still on the same domain. The use of HTTPS ensures that a green padlock will appear, further giving the page a sense of
legitimacy. The domains used for the phishing pages and for the links embedded in the PDF are specifically chosen to emulate government-bid-related themes. Therefore, they often include the department spoofed (such as dol) and “bid”. In addition to the URL seen in Figure 5, there were also URLs including .gov in the subdomain such as transportation[.]gov[.]bidprocure[.]secure[.]akjackpot[.]com, which has a purposefully long subdomain that could make only the part of the URL with .gov in it appear in the URL bar in smaller browser windows.
Results of The Campaign
These campaigns are convincing from start to finish and make use of preexisting data copied from legitimate sources in order to mislead victims. The consistent impersonation of a United States federal department is carried out each time with updated information including watermarks on PDFs and information on the credential phishing pages. The only place where the threat actors fall slightly behind is their spoofed pages can be out of date, which will likely go unnoticed by most victims. Given the advancements seen in each area of the phishing chain, it is likely the threat actors behind these campaigns will continue to innovate and improve upon their already believable campaigns. The first step towards defending against these kinds of attacks is ensuring that employees do not click malicious links. The next step is ensuring that employees realize this applies to attachments just as much as it does to links directly embedded in emails. Training employees to be suspicious of emails and carefully examine both links and sender information can also help here. An observant employee might notice that sometimes the sending email address, such as Figure 1, is not in fact a .gov address, and the embedded links are not in fact .gov domains. Cofense Intelligence will continue to track these campaigns and provide up to date IOCs and rules allowing customers to track and predict similar campaigns. In fact, Cofense Intelligence recently posted about a campaign which used similarly advanced emails and copies of legitimate websites with an embedded “click to bid” link.
To download this report, click here.