Phishers aim to get Office 365 credentials by impersonating the US DoT

The phishing campaign uncovered: companies possibly working with the US Department of Transportation targeted

Research detected 41 emails attempting to impersonate US DoTPhishing campaign reveals new methods and patters helping to evade detection.

The two-day phishing attack used a combination – creating new domains that impersonate federal sites and evading email malware detections.[1] Malicious emails targeted various companies in the engineering, energy architecture industries and included messages encouraging them to submit bids for contracts on the federal level. The particular emails surfaced on August 16-18, a week after the report that US Senate passed the infrastructure bill for $1 trillion.[2]

Research published this week[3] shows that the attackers aimed to harvest particular Microsoft Office 365 credentials. At least 41 emails with those luring messages got detected. Vice president of security strategy at INKY, Roger Kay, stated in his report:

The basic pitch was, with a trillion dollars of government money flowing through the system, you, dear target, are being invited to bid for some of this bounty.

Though most companies targeted by these emails were not infrastructure contractors in particular, and those emails were not successful, some of the companies were. That means that some of the receivers of such emails may find the offer plausible. There are no reports on this particular outcome, but the attack showed some new malicious techniques besides brand impersonation and phishing.[4]

Attack represents a new pattern

Phishers created new domains, exploited current events, and impersonated a known name to launch this campaign that had the purpose of credential stealing. Standart detection methods that help avoid these infections were not helpful due to the new attack model. Known techniques were used in a mix with the new method.

Attackers sent their emails from the domain with gov in its name, not the suffix. Usually, such government emails and domains need to have the .gov instead of the simple net. But if someone gets the email with such a message, they might read the sender through quickly and notice the gov in there, but not the specific placement or meaning. The domain was registered, and attacks started the same day, so hackers decided not to wait and run the exploit.

The email pitch was to invite the recipient to submit a bid for the project by clicking the active button “CLICK HERE TO BID” in the email itself. The redirection site[.]com is what appears after one does so. Some links to other sites registered in Malaysia may indicate the link between these phishers and other suspicious site owners.

The redirect circle ends with the form where the recipient should sign to finalize the bid. Once the person puts in those Microsoft login credentials in the malicious form, the ReCAPTHCA challenge is displayed while the credentials have already been collected and sent to attackers. The fake message appears while the real US DOT site appears on the browser.[5]

Phishers managed to pass the standard email authentication

The method of creating new domains helped to bypass the authentication system. Pages never were detected, never appeared in any threat intelligence feeds, no anti-phishing tools or different malicious detection systems could find blemishes there. The impersonation site was easily concealed since the victim was immediately shown the instruction form.

The campaign relied on redirects and additional layers, so the real US Department of Transportation site appeared after the credential harvesting. The error message that the login was failed concealed the fact that people entered their information at all.

This last move, dumping victims on a real site is an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence. In the con business, this moment is called the 'blow-off' and refers to the time after which the perpetrator has obtained what they were after, but before the mark realizes that they've been duped.

There are some pointers that organizations and users should take from this. Government domains end in .gov or .mil, not the usual .com or .net. The U.S government does not send random emails to companies regarding projects. There is no need to log in to Microsoft or any other email or social media account to read the email or open the specific file. There are also QHOIS lookup form that allows checking particular new domains if anything seems suspicious. Overall, being suspicious and cautious online is a great habit.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions