As we continue arming ourselves and helping companies arm themselves against modernized cyber threats, cases like these make us realize hackers do still rely on the oldest tricks in the book to pull of their dirty deeds. The United States Department of Transportation was recently targeted for perpetrating a 2-day phishing scam. The DoT impersonation attack is enough of an eye-opener to make us realize we are yet to reach a stage where awareness and caution can prove enough to ward against security threats.
So, what trick did the hackers use to pull off the attack? They dangled a big fat amount of money!
Come for the trillion dollars, get your credentials stolen instead
The promise of 1 trillion dollars in funds was used to lure in victims who were hit with phishing emails posing as the US Department of Transportation.
The phishers used a volley of tactics to prevent getting caught, including the creation of fake domains that resembled valid federal sites so as to maintain the appearance of a legitimate online presence.
Mid-August, security researchers found 41 instances of phishing attacks where emails were tailored to promise project biddings of up to 1 trillion dollars, owing to the recent infrastructure package recently passed by the US congress.
Recipients of the phishing attempts ranged from engineering companies, energy corporations, and architecture firms which could potentially be conducting business with the USDOT. The emails broadcasted that the USDOT was inviting companies to submit a bid for a special department project. The email body was accompanied with a CTA, “Click Here to Bid”.
The emails were all delivered from a domain, transportationgov[.]net. This is where warning bells should’ve sounding frantically, because governmental agencies always have .gov domains at their disposal, which are rarely handed out for common usage. The lack of a .gov domain should’ve been enough of an alert.
However, because of the phishing setup, the security researchers rightly pointed out that the victims would’ve glossed over this significant detail.
Taking the victim through a labyrinth of clicks
People who clicked through from these emails were taken to a website with the following domain: transportation.gov.bidprocure.secure.akjackpot[.]com. The hackers have done a good job of throwing in reassuring words like gov and secure and transportation. However, upon further investigation, it was revealed that the base domain, akjackpot.com was an old domain, having been established in 2009. It catered to a Malaysian casino. It can either be that the domain was hacked, or that the actual website owners were involved. Remains to be seen.
On the spam website, there is another button marked, “Bid”.
However, the resultant website from the button is an identical copy of the valid DoT website, which takes the DoT impersonation to the next level. Hackers were able to manage this by simply inspecting the page source of the actual website and copy pasting the code.
But before clicking through, you are required to sign up with the agency’s email provider to connect to their network. Moreover, the fraudulent website landing page contains information for the victim to contact a fictitious representative at the email address:
firstname.lastname@example.org in case there are any questions. Needless to say, Mike Reynolds is as real as the 1 trillion dollars.
To show off their gall, the threat actors have also included a warning about verifying true US government sites from fake once. This was audacious, because tech savvy victims could’ve been alerted that they were being duped on a fake website from instructions on the fake website. Just goes to show, there is no end to hackers’ boldness.
The imposter USDOT site has yet another button, “Click here to bid”. This button takes the victims to a malicious registration form complete with Microsoft’s logo. Entering the credentials here delivers them straight to hackers, and it is game over.
The form first deliberately fails the Captcha test. On the second try the victim is redirected to the valid USDOT website, without realizing their credentials were already harvested.
1.3 Preventing such phishing attacks
Awareness and simple diligence could’ve prevented all 41 of these phishing attempts.
The lack of a gov domain, the unnecessary redirects, credential harvesting operation and lack of any concrete data about the actual bid itself should’ve been enough to alert the victims in all 41 cases.
However, that’s the thing about phishing cases; they’re designed to make the victim abandon all caution.
Fortunately, we have the complete resources you need to ward off phishing attempts in your organisation.
On our eShop, we also have Cloud Email ATP, a potent tool that can automate your email security and raise red flags for such emails, so you don’t fall into any traps.