A new phishing campaign impersonates the US Department of Labor (DoL) and asks recipients to submit job bids in an attempt to steal Office 365 credentials.
The campaign has been around for a couple of months. It uses over 10 phishing sites to trick victims into providing personal information.
In a new report, researchers from email security firm INKY explained how the phishing attack works.
Most of the emails from this campaign are sent from spoofed domai.ns that appear to be from the Department of Labor. Other emails are sent from newly registered and unreported domains that aren’t on any anti-phishing lists. These servers can be used to evade email security blocks.
The emails from this campaign are sent by a person who says that he or she is a senior DoL employee and that the recipient should submit their bid for a government project. Emails are well-designed, complete with a valid letterhead, professionally-arranged content, and a three-page PDF attachment.
The PDF has a “BID” button, which takes the victim to one of the phishing sites:
opendolbid[.]us
usdol-gov[.]com
bid-dolgov[.]us
us-dolbids[.]us
dol-bids[.]us
openbids-dolgov[.]us
open-biddolgov[.]us
openbids-dolgov[.]com
usdol-gov[.]us
dolbids[.]com
openbid-dolgov[.]us
dol[.]global
The spoofed site looks convincing, especially since it uses the same HTML and CSS as the real one. It also has a pop-up message that instructs victims on how to submit their bid.
Having filled out a credential harvesting form asking for Microsoft Office 365 email address and password and having clicked the “Submit bid” button, the victim receives a bogus error. The message prompts the victim to enter their Microsoft Office 365 account credentials again to avoid stealing mistyped credentials. Once the victim submits their bid for the second time, they are taken to a legitimate DoL site. End of story.
Unfortunately, most of the recipients have no idea that there’s a phishing campaign targeting them. One of the subtle signs of the nature of this attack is the DoL’s requirement that the recipient log in with their Office 365 credentials.
Utmost vigilance is advised when handling unsolicited correspondence.