USDOT has been impersonated to conduct a two-day email phishing scam

September 28, 2021
USDOT website impersonation email phishing online scam

Within two days of the phishing campaign, the US Department of Transportation or USDOT has been imitated by cyber-attackers. They operated on combined tactics such as forming new domains to copy and mimic federal sites to appear authentic and avoid being detected by authorities. 

Security researchers have identified at least 41 phishing emails between August 16 to 18. These emails dangled the lure of project biddings that Congress recently passed, which benefited from the $1 trillion infrastructure package. 

The process of the two-day email phishing campaign includes sending an initial email to the victims that say the USDOT is inviting them to propose a department project bid, and to do this, they must click a blue button with a “Click Here to Bid” text. This campaign targets company in the industries of energy, engineering, and architecture. The phishing emails are identified to have launched from a transportationgov[.]net domain and was registered on Amazon on August 16 this year. As revealed by WHOIS, the domain’s creation date shows that the site was created to conduct phishing campaigns. 

 

How the email phishing scam is operated 

Once the victim clicks on the bidding button from the phishing email, they will be redirected to the website transportation.gov.bidprocure.secure.akjackpot[.]com. The suspicious fact about the link is its base domain akjackpot[.]com, which has been registered in 2019 and may or may not be a Malaysian-owned and hosted online casino. Researchers say that the site may have been stolen, or the owners themselves are the phishing operators that imitate USDOT. 

From the fake bidding site, the victims will be told to click a “Bid” button to sign in using their email address in connecting to a so-called network. Then, they will be directed to the same site as the real USDOT site and will be invited to click again on a red “Click here to bid” button, which shows a form that can harvest their credentials. The form has a Microsoft logo and another command which says users must log in with their email provider. The victim will then have to finish a ReCAPTCHA challenge, although, at this point, their credentials may already have been stolen. 

Cybersecurity researchers state that the threat actor’s tactics include operating on new patterns that enable them to harvest emails from secure email gateways. The attackers can evade standard detection methods by coming up with a style of attack that is different from other known methods of attack. This attack style includes using new domains to allow the phishing of mails to evade standard email authentication processes. 

And since the method is considered new, the domain will represent a zero-day vulnerability. 

About the author

Leave a Reply