# Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects **[inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects](https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects)** Posted by Roger Kay [Tweet](https://twitter.com/share) During the back half of 2021, INKY began detecting phishing emails that impersonated the United States Department of Labor (DoL). Eventually, the campaign grew to hundreds of instances. INKY caught enough of these attempts to do a thorough analysis of the campaign, which is set out in this edition of Fresh Phish. ### Quick Take: Attack Flow Overview ----- **Type: Phishing** **Vector: Spoofed DoL senders and newly created look-alike domains** **Payload: Malicious links in PDF attachments leading to credential harvesting sites** **Techniques: Brand impersonation, mail server abuse, VIP impersonation** **Platform: Google Workspace and Microsoft 365** **Target: Google Workspace and Microsoft 365 users** ## The Attack In this campaign, the majority of phishing attempts had sender email addresses spoofed to look as if they came from no-reply@dol[.]gov, which is the real DoL site. A small subset was spoofed to look as if they came from no-reply@dol[.]com, which is, of course, not the real DoL domain. The rest came from a set of newly created look-alike domains: dol-gov[.]com dol-gov[.]us bids-dolgov[.]us _Distribution of spoofed domains_ ----- These phishing emails invited recipients to submit bids for ongoing government projects and claimed to be from a senior DoL employee responsible for procurement. _Email impersonating the U.S. DoL_ Each phishing email had a three-page PDF attachment (shown below) with well-crafted DoL branding elements. ----- _Page 1 of PDF attachment_ _Page 2 of PDF attachment_ ----- _Page 3 of PDF attachment_ Recipients were instructed to click the “BID” button on Page 2 to access DoL’s procurement portal. Behind the button was a malicious link. The links varied, but they all led to malicious domains that impersonated the DoL. Here are the variants INKY detected: opendolbid[.]us usdol-gov[.]com bid-dolgov[.]us us-dolbids[.]us dol-bids[.]us openbids-dolgov[.]us open-biddolgov[.]us openbids-dolgov[.]com usdol-gov[.]us dolbids[.]com openbid-dolgov[.]us dol[.]global What the victim saw when they reached the evil site was a set of fake instructions. _Fake instructions on how to submit a bid_ ----- When the victim closed the instructions, what they saw was an identical copy of the real DoL website. The clever phishers had simply copied HTML and CSS from the real site and pasted it into the phishing site. _Identical copy of DoL site (except for red “Click here to bid” button)_ Victims who clicked on the red “Click here to bid” button was presented with a credential harvesting form with instructions to sign in and bid using a Microsoft or other business email account. ----- _Credential harvesting form_ When an INKY engineer made the first attempt at entering fake credentials, the site displayed a fake incorrect credentials error. But behind the scenes, those fake credentials had already been harvested (and either stored on the malicious site or emailed to the phisher). ----- _Fake incorrect credentials error_ In a classic “blow-off,” when our engineer made a second attempt at entering fake credentials, they were redirected to the real DoL site. This nuanced touch, borrowed from con artistry that well predates the digital era, is designed to confuse the victim and delay the moment when they realize that they were taken. _The real DoL site_ ## Techniques In the majority of these attacks (the ones in which the spoofed sender was either noreply@dol[.]gov or no-reply@dol[.]com), the phishers were able to send their phishing emails from abused servers nominally controlled by a non-profit professional membership group. _Received headers of a phish sent on New Year's Day_ ----- In this example s received headers (the path of servers through which the email travelled), the email originated from 185.105.7.219, and the non-profit’s abused mail server accepted it before passing it off to Microsoft Outlook servers. This technique allowed the phishing email to receive a DKIM pass for the reputable group’s domain. An investigation into 185.105.7.219 revealed that the IP address was associated with albacasino[.]com, a new domain created barely a week prior. In other cases, the phishers used newly created domains to both send initial phishing emails and host fake DoL sites. Newly created domains are a black-hat favorite because they are able to pass standard email authentication (SPF, DKIM, and DMARC). Since they are brand new, the domains represent zero-day vulnerabilities; they have never been seen before and typically do not appear in threat intelligence feeds commonly referenced by legacy antiphishing tools. Without a blemish, these sites used in this exploit did not look malicious. _A WHOIS lookup surfaced a recently created phishing domain_ Although several email security vendors use computer vision to detect impersonation sites, simplistic computer vision would not have helped in this case because the first thing the victim saw was the instructions, which concealed the actual impersonated site. ## Recap of Techniques **Brand impersonation — is done seamlessly by phishers who copy and paste HTML** and CSS directly from the real DoL site to spoof it **Abuse of a mail server — leverages a legitimate organization’s mail server to send** phishing emails **Newly created domains — are not yet known by threat intelligence feeds and** therefore pass rudimentary security checks **Credential harvesting — occurs when a victim tries to log into what they think is a real** government site and ends up instead entering credentials into a form controlled by the phishers ----- ## Best Practices: Guidance and Recommendations Official U.S. government domains usually end in .gov or .mil rather than .com or another suffix. The U.S. government does not typically send out cold emails to solicit bids for projects. Potential victims should be aware that it makes no sense to be asked to log in with email credentials to view a document on a completely different network. For message administrators, it ought to be clear that SMTP servers should not be configured to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users. **Read more of INKY’s past** **[Fresh Phish, and subscribe to receive our news and articles](https://www.inky.com/blog/tag/fresh-phish)** **directly to your inbox.** --------------------- _INKY is an_ _[award-winning, cloud-based email security solution developed to proactively](https://www.inky.com/awards-recognition)_ _eliminate phishing emails and malware while simultaneously providing real-time assistance_ _to employees handling suspicious emails so they can make safer decisions. INKY’s patented_ _technology incorporates sophisticated computer vision, machine learning models, social_ _profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links,_ _detect and block security threats, mitigate sender impersonation, and more. Cost-effective_ _and powerful, the INKY platform was developed for mobile-first IT organizations and works_ _seamlessly on any device, operating system, and mail client. Learn more about INKY™_ _or_ _[request an online demonstration today.](https://www.inky.com/get-inky)_ -----