Skip to content

Phishers spoof US Labor Dept; trick victims into spilling Office credentials

  • by
  • 3 min read

There’s a new phishing campaign going on asking victims to submit bids to steal their Office 365 credentials whilst impersonating the US Department of Labor. Over ten different sites are impersonating the department and running the campaign for at least a few months. 

Researchers from email security firm INKY published a report on the attacks stating that the emails are being sent from spoofed domains giving the impression that they’re coming from the Department of Labor instead. In addition, there are several new look-alike domains as well including these:

  • dol-gov.com
  • dol-gov.us
  • bids-dolgov.us

Most of these emails are being passed through servers owned by non-profit organisations to evade security filters. Some emails might even come from newly registered or unreported domains that haven’t made their way on anti-phishing lists yet. 

In the News: Microsoft brings Hololens 2 to India

Bid for your Office 365 credentials

The phisher sends emails pretending to be a senior DoL employee inviting the recipient to submit a bid for an ongoing government project. The email is complete with a valid letterhead, some content and a three-page PDF attachment of a bidding form.

Phishers spoof US Labor Dept; trick victims into spilling Office credentials
The misleading PDF file attached to the email with the bid button | Source: INKY

Finally, the attached PDF contains a bid button on the middle page that takes the victim to one of the following bidding (phishing) sites:

  • opendolbid.us
  • usdol-gov.com
  • bid-dolgov.us
  • us-dolbids.us
  • dol-bids.us
  • openbids-dolgov.us
  • open-biddolgov.us
  • openbids-dolgov.com
  • usdol-gov.us
  • dolbids.com
  • openbid-dolgov.us
  • dol.global

Note that these are the sites that INKY has detected. There’s a chance there might be other malicious web pages out there at the moment. 

The spoofed sites contain copied HTML and CSS to the real DoL site, with the attackers also adding a pop-up with a set of instructions for the user to go through the bidding. People wanting to proceed with the bid are redirected to a login page that asks for their Office 365 credentials. 

Phishers spoof US Labor Dept; trick victims into spilling Office credentials
The phished login form for entering Office 365 credentials | Source: INKY

Regardless of what’s entered in the form, the site returns an error forcing users to enter their credentials again, ensuring they get the right ones. Once the victims try to click the sign-in button for the second time after entering their credentials, they’re redirected to the actual DoL website. 

In the News: VPNLabs taken down by joint operation involving 10 countries

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>