Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors
Please follow me on:
Twitter
On February 23, 2019, Anomali Labs found a suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw containing the legitimate domain transportation.gov for the U.S. Department of Transportation (DOT). When users visit the domain in their web browsers, they are redirected to a phishing site located at <hxxps://transportation[.]gov[.]qq-1[.]pw/V1/> that is designed to appear as a DOT eProcurement portal. However, the site contains at least three components dissimilar to the legitimate DOT homepage:
- A pop-up window titled “Invitation for Bid” where purportedly the DOT is seeking quotations from qualified contractors (RFQ) for ongoing government projects with a due date of February 25, 2019 and BID numbers: 0045620 and 0041378. Additionally, it informs interested parties to send an email to the acting manager Leonardo San Roman (email: leonardo.sanroman{at}dot-gov[.]us). A review of the DOT website confirmed Mr. San Roman is a DOT employee working as the Acting Manager for the DOT Office of Small and Disadvantaged Business Utilization’s Procurement Assistance Division; however, legitimate DOT emails end in @dot.gov (See Figure 1).
- A red box in the middle of the screen titled “Click here to bid” that redirects users to a faux login page to harvest their email address and password (See Figure 2).
- A slider box in the middle of the page with faux content announcing the Invitation to Bid and several pages with false contact details and information (See Figure 3).
Figure 1. Fake landing page for U.S. Department of Transportation eProcurement Portal
Figure 2. Pop-up window requesting login credentials
Figure 3. Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site
Indicator Expansion
The server hosting the phishing site transportation[.]gov[.]qq-1[.]pw had a self-signed TLS certificate (SN: 0326F75810AC41651CC5EBC6006D7F64F7B0) installed issued by Let’s Encrypt, a free certificate provider, with a validity period of three months starting on February 21, 2019 and ending on May 22, 2019. This could be a possible indication that the phishing campaign has been active beginning on or around February 21. At the time of this report, the server resolved to a shared IP address 107.180.54[.]250 (AS26496 – GoDaddy) located in the United States that also hosts numerous other suspicious and malicious sites. A particular site of interest dol[.]gov[.]qq-1[.]pw used the domain name dol.gov in its naming convention, which is the U.S. Department of Labor’s parent domain and main website.
U.S. Department of Labor Phishing Campaign
When navigating to the fraudulent hostname dol[.]gov[.]qq-1[.]pw, users are presented with a spoofed DOL page located at <hxxps://dol[.]gov[.]qq-1[.]pw/V1/. The spoofed site is a cloned version of the DOL mainpage with an additional feature, a red highlighted box with the words “Click here to bid”, located in the middle of the site (See Figure 4). Once users click to bid on the contract, a pop-up window for a login page appears that requests the potential victim’s email address and password (See Figure 5). However, once the victim has entered their credentials, they are presented with the following error message “Please Try again, Sign in with your correct email”.
Figure 4. Fake landing page for U.S. Department of Labor
Figure 5. Pop-up window requesting login credentials
Figure 6. Error message displayed once entering user credentials
A Closer Look at Domain Name dot-gov[.]us
The domain dot-gov[.]us was registered on December 7, 2018 with Registrar Namecheap to a suspected cybersquatter from Grover, Pennsylvania named David Paris who uses the email address davuchi001{at}gmail[.]com. Of note, this domain has changed ownership multiple times since being originally created on June 13, 2013. A reverse Whois lookup of this registrant name and email address uncovered a combined total of 133 related domains. An intriguing finding while reviewing these domains, there were at least seven sites targeting multiple government agencies from the U.S. Federal Government and four state governments.
Suspicious Domain | Spoofed Legitimate Site | Spoofed Government Agency |
---|---|---|
gov[.]us | usa.gov | Federal Government of the United States |
virginiagov[.]us | virginia.gov | State of Virginia |
tngov[.]us | tn.gov | State of Tennessee |
mncppc-org[.]us | mncppc.org | Maryland-National Capital Park and Planning Commission (M-NCPPC) |
montgomeryparks-org[.]us | montgomeryparks.org | Montgomery (Maryland) County Department of Parks |
idoa-gov[.]us | www.in.gov/idoa/ | Indiana Department of Administration |
in-gov[.]us | in.gov | State of Indiana |
Table 1. Suspicious-looking domains mimicking agencies from the U.S. federal government and four U.S. state governments
Defending Against Online Bidding Schemes
- Be wary if you receive an unsolicited communication from a federal government agency and do not click on embedded hyperlinks within the message claiming to visit a website to submit a contract bid or download a file attachment from the untrusted source as most likely the hyperlink within the file is malicious.
- Do not blindly trust the padlock feature at the top left of the website address bar as threat actors can easily obtain a free TLS/SSL certificate to make the site appear it is coming from a trusted source.
- Inspect the website address to ensure that it is indeed from the legitimate government agency and not a fraudulent actor concealing their presence using the legitimate agency’s domain name as a subdomain of a malicious site.
- When in doubt, directly contact the contract representative of the government agency to confirm the legitimate website prior to submitting the necessary paperwork. Reminder do not use the contact details provided in unsolicited messages as they are most likely to be fraudulent.
- All levels of government should invest in a domain monitoring service that can detect and alert on domains and subdomains mimicking their agencies. Once discovered, the government agency security personnel should work on taking down the offending domains and websites to prevent their employees, citizens, and third-parties from becoming victimizing in a social engineering attack.
Conclusion
Online bidding-themed phishing schemes is a common technique employed by threat actors to steal account credentials from contractors looking to conduct business with local, state, and federal government agencies. Although, we were unable to reveal a phishing email for this case, the use of spoofed email address of legitimate government employees is a likely sign that threat actors social engineer contractors with email-based attacks. We expect to see similar types of attacks spoofing local, state, and federal government agencies for the long-term and will continue to track and report on the latest campaigns.
References
- U.S. Department of Transportation
- U.S. Department of Transportation
- U.S. Department of Labor
- URL Scan
- Google Safe Browsing
- Microsoft Windows Defender Security Intelligence
Appendix A – Indicators of Compromise
Indicator | Description |
---|---|
transportation[.]gov[.]qq-1[.]pw | Phishing hostname mimicking U.S. Department of Transportation |
transportation[.]gov[.]bidsync[.]kela[.]pw | Phishing hostname mimicking U.S. Department of Transportation |
www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw | Phishing hostname mimicking U.S. Department of Transportation |
dol[.]gov[.]qq-1[.]pw | Phishing hostname mimicking U.S. Department of Labor |
www[.]dol[.]gov[.]bid-sync[.]eq1[.]pw | Phishing hostname mimicking U.S. Department of Labor |
hxxps://transportation[.]gov[.]qq-1[.]pw | Online bidding-themed phishing site mimicking U.S. Department of Transportation |
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/ | Online bidding-themed phishing site mimicking U.S. Department of Transportation |
hxxps://transportation[.]gov[.]qq-1[.]pw/V2/ | Online bidding-themed phishing site mimicking U.S. Department of Transportation |
hxxps://transportation[.]gov[.]bidsync[.]kela[.]pw | Online bidding-themed phishing site mimicking U.S. Department of Transportation |
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/index2[.]html | Error message page displayed after entering email address and password to U.S. Department of Transportation online-bidding themed phishing site |
https://www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw | Online bidding-themed phishing site mimicking U.S. Department of Transportation |
hxxps://dol[.]gov[.]qq-1[.]pw/V1/ | Online bidding-themed phishing site mimicking U.S. Department of Labor |
hxxps://dol[.]gov[.]qq-1[.]pw/V1/index2[.]html | Error message page displayed after entering email address and password to U.S. Department of Labor online-bidding themed phishing site |
dot-gov[.]us | Suspicious-looking domain mimicking the U.S. Department of Transportation and potentially used to send out phishing emails |
leonardo.sanroman{at}dot-gov[.]us | Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee |
martha.kenley{at}dot-gov[.]us | Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee |
gov[.]us | Federal Government of the United States |
virginiagov[.]us | State of Virginia |
tngov[.]us | State of Tennessee |
mncppc-org[.]us | Maryland-National Capital Park and Planning Commission (M-NCPPC) |
montgomeryparks-org[.]us | Montgomery (Maryland) County Department of Parks |
idoa-gov[.]us | Indiana Department of Administration |
in-gov[.]us | State of Indiana |
davuchi001{at}gmail[.]com | Suspected cybersquatter named David Paris that has registered domain name variants mimicking U.S. federal and state government agencies |
0326F75810AC41651CC5EBC6006D7F64F7B0 | Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Transportation phishing site |
03746833DFB154E77CD94E1B756A95347CE5 | Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Labor phishing site |
Appendix B – Whois Record for dot-gov[.]us
source: www.anomali.com