Phishing attack spoofs US Department of Labor to steal account credentials

Phishing attack spoofs US Department of Labor to steal account credentials

A phishing campaign seen by email security provider Inky tries to trick its victims by inviting them to submit bids for alleged government projects.

 Many phishing attacks attempt to scam people by impersonating and imitating real brands and organizations. A phishing email that appears to come from an official government entity is especially deceptive as it carries an air of authority. A malicious campaign detected by Inky in the latter half of 2021 spoofed the U.S. Department of Labor as a way to harvest the account credentials of unsuspecting victims.

In a blog post published on Wednesday, Inky details a series of phishing attacks in which the sender address on most of the emails appeared to come from, the real domain for the Department of Labor. A few of the emails were spoofed to come from, which is not the department's real domain.

Claiming to come from a senior Department of Labor employee handling procurement, the emails invited the recipients to bid on "ongoing government projects." A PDF attached to the email looked like an official DoL document with all the right visuals and branding. A BID button on the second page of the PDF took people to what appeared to be the DoL's procurement portal but was actually a malicious website impersonating the department.

For the next step in the process, the website presented a "Click here to bid" button. Anyone clicking on that button would be taken to a credential harvesting form with directions to submit a bid using a Microsoft account or other business account. After entering their credentials, the victim would be told that they were incorrect. But in actuality, the credentials had been harvested by the attacker. If the person tried to enter their credentials again, they would be redirected to the actual DoL website to further trick them.

A phishing scam like this can easily fool unsuspecting recipients due to several tactics.

First, the attackers spoofed the DoL by copying and pasting actual HTML and CSS code from the real website. Second, they took advantage of a legitimate email server to send the phishing emails so as to escape detection by security defenses. Third, they created new domains that were unknown to threat intelligence and could bypass security checks. And fourth, the attackers presented what seemed to be a real government website but then redirected victims to a phishing form where their credentials could be captured.

To protect yourself from this specific type of phishing scam, Inky offers a few tips.
  • Scrutinize the sender's address. U.S. government domains usually end in .gov or .mil and not .com or another suffix.
  • Beware of emails claiming to be from the government. The U.S. government does not usually send cold emails to solicit bids for projects.
  • Be wary of each step in the process. In an instance like this, you would not be asked to log in with your email or account credentials on a totally different network.
  • Check your SMTP server settings. For email administrators, your SMTP servers should not be set up to accept and forward emails from non-local IP addresses to non-local mailboxes by unauthenticated and unauthorized users.
Source - Lance Whitney, 19 January, 2022 - Techrepublic