There’s a new phishing campaign going on asking victims to submit bids to steal their Office 365 credentials whilst impersonating the US Department of Labor. Over ten different sites are impersonating the department and running the campaign for at least a few months.
Researchers from email security firm INKY published a report on the attacks stating that the emails are being sent from spoofed domains giving the impression that they’re coming from the Department of Labor instead. In addition, there are several new look-alike domains as well including these:
- dol-gov.com
- dol-gov.us
- bids-dolgov.us
Most of these emails are being passed through servers owned by non-profit organisations to evade security filters. Some emails might even come from newly registered or unreported domains that haven’t made their way on anti-phishing lists yet.
In the News: Microsoft brings Hololens 2 to India
Bid for your Office 365 credentials
The phisher sends emails pretending to be a senior DoL employee inviting the recipient to submit a bid for an ongoing government project. The email is complete with a valid letterhead, some content and a three-page PDF attachment of a bidding form.
Finally, the attached PDF contains a bid button on the middle page that takes the victim to one of the following bidding (phishing) sites:
- opendolbid.us
- usdol-gov.com
- bid-dolgov.us
- us-dolbids.us
- dol-bids.us
- openbids-dolgov.us
- open-biddolgov.us
- openbids-dolgov.com
- usdol-gov.us
- dolbids.com
- openbid-dolgov.us
- dol.global
Note that these are the sites that INKY has detected. There’s a chance there might be other malicious web pages out there at the moment.
The spoofed sites contain copied HTML and CSS to the real DoL site, with the attackers also adding a pop-up with a set of instructions for the user to go through the bidding. People wanting to proceed with the bid are redirected to a login page that asks for their Office 365 credentials.
Regardless of what’s entered in the form, the site returns an error forcing users to enter their credentials again, ensuring they get the right ones. Once the victims try to click the sign-in button for the second time after entering their credentials, they’re redirected to the actual DoL website.
In the News: VPNLabs taken down by joint operation involving 10 countries