This super ambitious phishing campaign impersonated the US Department of Labor

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

A new phishing campaign has been making the rounds online that convincingly impersonates the US Department of Labor (DoL).

Discovered by the email security company Inky, the majority of phishing attempts used in the campaign spoof sender email addresses to make them appear as if they came from no-reply@dol[.]gov. 

While this is the DoL's real email address, a small subset of email addresses were spoofed to look as if they came from no-reply@dol[.]com instead though the attackers also used other newly created look-alike domains such as dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.

Each of the phishing emails sent as part of the campaign invite recipients to submit bids for “ongoing government projects” and claimed to be from a senior DoL employee responsible for procurement. These emails also contained a three-page PDF attachment with well-crafted DoL branding elements to make them appear more legitimate.

Submitting a bid

Recipients interested in participating in the government projects advertised in this phishing campaign were instructed to click on the “BID” button on page two of the attached PDF to access the DoL's procurement portal. However, doing so took them to a malicious domain that impersonated the DoL.

Upon reaching the malicious domain, recipients are greeted with a set of fake instructions on how the DoL's bidding process works. The attackers behind this campaign are quite clever though as closing the instructions takes a user to an identical copy of the real DoL website as the HTML and CSS from the real site was copied and pasted into the phishing site.

Those who clicked on the red “Click here to bid” button were then presented with a credential harvesting form with instructions to sign in and bid using Microsoft Outlook or another business email service. When one of Inky's engineers tried to enter fake credentials, the site displayed a fake incorrect credentials error when in reality, these fake credentials had already been harvest by the attackers. The second time though, the engineer was redirected to the real DoL site to add authenticity to the campaign.

To avoid falling victim to this campaign and others like it, Inky points out that official US government domains typically end in .gov or .mil as opposed to .com or another top-level domain.

We've also featured the best endpoint protection software, best identity theft protection and the best firewall

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.