A new phishing campaign (opens in new tab) has been making the rounds online that convincingly impersonates the US Department of Labor (DoL).
Discovered by the email security company Inky (opens in new tab), the majority of phishing attempts used in the campaign spoof sender email addresses to make them appear as if they came from no-reply@dol[.]gov.
While this is the DoL's real email address, a small subset of email addresses were spoofed to look as if they came from no-reply@dol[.]com instead though the attackers also used other newly created look-alike domains (opens in new tab) such as dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.
Each of the phishing emails sent as part of the campaign invite recipients to submit bids for “ongoing government projects” and claimed to be from a senior DoL employee responsible for procurement. These emails also contained a three-page PDF attachment with well-crafted DoL branding elements to make them appear more legitimate.
Submitting a bid
Recipients interested in participating in the government projects advertised in this phishing campaign were instructed to click on the “BID” button on page two of the attached PDF (opens in new tab) to access the DoL's procurement portal. However, doing so took them to a malicious domain that impersonated the DoL.
Upon reaching the malicious domain, recipients are greeted with a set of fake instructions on how the DoL's bidding process works. The attackers behind this campaign are quite clever though as closing the instructions takes a user to an identical copy of the real DoL website as the HTML and CSS from the real site was copied and pasted into the phishing site.
Those who clicked on the red “Click here to bid” button were then presented with a credential harvesting (opens in new tab) form with instructions to sign in and bid using Microsoft Outlook (opens in new tab) or another business email service (opens in new tab). When one of Inky's engineers tried to enter fake credentials, the site displayed a fake incorrect credentials error when in reality, these fake credentials had already been harvest by the attackers. The second time though, the engineer was redirected to the real DoL site to add authenticity to the campaign.
To avoid falling victim to this campaign and others like it, Inky points out that official US government domains (opens in new tab) typically end in .gov or .mil as opposed to .com or another top-level domain (opens in new tab).
We've also featured the best endpoint protection software (opens in new tab), best identity theft protection (opens in new tab) and the best firewall (opens in new tab)