Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors

Please follow me on:
Twitter Telegram

On February 23, 2019, Anomali Labs found a suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw containing the legitimate domain transportation.gov for the U.S. Department of Transportation (DOT). When users visit the domain in their web browsers, they are redirected to a phishing site located at <hxxps://transportation[.]gov[.]qq-1[.]pw/V1/> that is designed to appear as a DOT eProcurement portal. However, the site contains at least three components dissimilar to the legitimate DOT homepage:

1. A pop-up window titled “Invitation for Bid” where purportedly the DOT is seeking quotations from qualified contractors (RFQ) for ongoing government projects with a due date of February 25, 2019 and BID numbers: 0045620 and 0041378. Additionally, it informs interested parties to send an email to the acting manager Leonardo San Roman (email: leonardo.sanroman{at}dot-gov[.]us). A review of the DOT website confirmed Mr. San Roman is a DOT employee working as the Acting Manager for the DOT Office of Small and Disadvantaged Business Utilization’s Procurement Assistance Division; however, legitimate DOT emails end in @dot.gov (See Figure 1).
2. A red box in the middle of the screen titled “Click here to bid” that redirects users to a faux login page to harvest their email address and password (See Figure 2).
3. A slider box in the middle of the page with faux content announcing the Invitation to Bid and several pages with false contact details and information (See Figure 3).

Figure 1. Fake landing page for U.S. Department of Transportation eProcurement Portal

Figure 2. Pop-up window requesting login credentials

Figure 3. Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site

Indicator Expansion

The server hosting the phishing site transportation[.]gov[.]qq-1[.]pw had a self-signed TLS certificate (SN: 0326F75810AC41651CC5EBC6006D7F64F7B0) installed issued by Let’s Encrypt, a free certificate provider, with a validity period of three months starting on February 21, 2019 and ending on May 22, 2019. This could be a possible indication that the phishing campaign has been active beginning on or around February 21. At the time of this report, the server resolved to a shared IP address 107.180.54[.]250 (AS26496 – GoDaddy) located in the United States that also hosts numerous other suspicious and malicious sites. A particular site of interest dol[.]gov[.]qq-1[.]pw used the domain name dol.gov in its naming convention, which is the U.S. Department of Labor’s parent domain and main website.

U.S. Department of Labor Phishing Campaign

When navigating to the fraudulent hostname dol[.]gov[.]qq-1[.]pw, users are presented with a spoofed DOL page located at <hxxps://dol[.]gov[.]qq-1[.]pw/V1/. The spoofed site is a cloned version of the DOL mainpage with an additional feature, a red highlighted box with the words “Click here to bid”, located in the middle of the site (See Figure 4). Once users click to bid on the contract, a pop-up window for a login page appears that requests the potential victim’s email address and password (See Figure 5). However, once the victim has entered their credentials, they are presented with the following error message “Please Try again, Sign in with your correct email”.

Figure 4. Fake landing page for U.S. Department of Labor

Figure 5. Pop-up window requesting login credentials

Figure 6. Error message displayed once entering user credentials

A Closer Look at Domain Name dot-gov[.]us

The domain dot-gov[.]us was registered on December 7, 2018 with Registrar Namecheap to a suspected cybersquatter from Grover, Pennsylvania named David Paris who uses the email address davuchi001{at}gmail[.]com. Of note, this domain has changed ownership multiple times since being originally created on June 13, 2013. A reverse Whois lookup of this registrant name and email address uncovered a combined total of 133 related domains. An intriguing finding while reviewing these domains, there were at least seven sites targeting multiple government agencies from the U.S. Federal Government and four state governments.

Suspicious Domain	Spoofed Legitimate Site	Spoofed Government Agency
gov[.]us	usa.gov	Federal Government of the United States
virginiagov[.]us	virginia.gov	State of Virginia
tngov[.]us	tn.gov	State of Tennessee
mncppc-org[.]us	mncppc.org	Maryland-National Capital Park and Planning Commission (M-NCPPC)
montgomeryparks-org[.]us	montgomeryparks.org	Montgomery (Maryland) County Department of Parks
idoa-gov[.]us	www.in.gov/idoa/	Indiana Department of Administration
in-gov[.]us	in.gov	State of Indiana

Table 1. Suspicious-looking domains mimicking agencies from the U.S. federal government and four U.S. state governments

Defending Against Online Bidding Schemes

• Be wary if you receive an unsolicited communication from a federal government agency and do not click on embedded hyperlinks within the message claiming to visit a website to submit a contract bid or download a file attachment from the untrusted source as most likely the hyperlink within the file is malicious.
• Do not blindly trust the padlock feature at the top left of the website address bar as threat actors can easily obtain a free TLS/SSL certificate to make the site appear it is coming from a trusted source.
• Inspect the website address to ensure that it is indeed from the legitimate government agency and not a fraudulent actor concealing their presence using the legitimate agency’s domain name as a subdomain of a malicious site.
• When in doubt, directly contact the contract representative of the government agency to confirm the legitimate website prior to submitting the necessary paperwork. Reminder do not use the contact details provided in unsolicited messages as they are most likely to be fraudulent.
• All levels of government should invest in a domain monitoring service that can detect and alert on domains and subdomains mimicking their agencies. Once discovered, the government agency security personnel should work on taking down the offending domains and websites to prevent their employees, citizens, and third-parties from becoming victimizing in a social engineering attack.

Conclusion

Online bidding-themed phishing schemes is a common technique employed by threat actors to steal account credentials from contractors looking to conduct business with local, state, and federal government agencies. Although, we were unable to reveal a phishing email for this case, the use of spoofed email address of legitimate government employees is a likely sign that threat actors social engineer contractors with email-based attacks. We expect to see similar types of attacks spoofing local, state, and federal government agencies for the long-term and will continue to track and report on the latest campaigns.

References

• U.S. Department of Transportation
• U.S. Department of Transportation
• U.S. Department of Labor
• URL Scan
• Google Safe Browsing
• Microsoft Windows Defender Security Intelligence

Appendix A – Indicators of Compromise

Indicator	Description
transportation[.]gov[.]qq-1[.]pw	Phishing hostname mimicking U.S. Department of Transportation
transportation[.]gov[.]bidsync[.]kela[.]pw	Phishing hostname mimicking U.S. Department of Transportation
www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw	Phishing hostname mimicking U.S. Department of Transportation
dol[.]gov[.]qq-1[.]pw	Phishing hostname mimicking U.S. Department of Labor
www[.]dol[.]gov[.]bid-sync[.]eq1[.]pw	Phishing hostname mimicking U.S. Department of Labor
hxxps://transportation[.]gov[.]qq-1[.]pw	Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/	Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V2/	Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]bidsync[.]kela[.]pw	Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/index2[.]html	Error message page displayed after entering email address and password to U.S. Department of Transportation online-bidding themed phishing site
https://www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw	Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://dol[.]gov[.]qq-1[.]pw/V1/	Online bidding-themed phishing site mimicking U.S. Department of Labor
hxxps://dol[.]gov[.]qq-1[.]pw/V1/index2[.]html	Error message page displayed after entering email address and password to U.S. Department of Labor online-bidding themed phishing site
dot-gov[.]us	Suspicious-looking domain mimicking the U.S. Department of Transportation and potentially used to send out phishing emails
leonardo.sanroman{at}dot-gov[.]us	Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee
martha.kenley{at}dot-gov[.]us	Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee
gov[.]us	Federal Government of the United States
virginiagov[.]us	State of Virginia
tngov[.]us	State of Tennessee
mncppc-org[.]us	Maryland-National Capital Park and Planning Commission (M-NCPPC)
montgomeryparks-org[.]us	Montgomery (Maryland) County Department of Parks
idoa-gov[.]us	Indiana Department of Administration
in-gov[.]us	State of Indiana
davuchi001{at}gmail[.]com	Suspected cybersquatter named David Paris that has registered domain name variants mimicking U.S. federal and state government agencies
0326F75810AC41651CC5EBC6006D7F64F7B0	Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Transportation phishing site
03746833DFB154E77CD94E1B756A95347CE5	Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Labor phishing site

Appendix B – Whois Record for dot-gov[.]us

source: www.anomali.com