How This Phishing Scheme Operates

This particular attack utilizes fake email addresses that closely resemble genuine domains to mislead victims. Additionally, it creates counterfeit websites that are visually indistinguishable from authentic ones. These scammers even generate fraudulent forms and pop-ups to enhance the illusion of legitimacy. The most alarming aspect is that these newly created domains were not flagged by any security firms for a significant duration, allowing them to operate undetected.

The Nature of the Attack

In late 2021, Inky Technology, an email security company, began to identify new phishing email campaigns that had never been observed before, specifically those impersonating the Department of Labor (DoL). Reports of these fraudulent emails quickly escalated from zero to hundreds. According to Inky's findings, a significant portion of these phishing attempts originated from no-reply@dol[.]gov, directly mimicking the official DoL email address. Moreover, some messages were sent from no-reply@dol[.]com, which is not a legitimate government domain.

Other frequently used fraudulent addresses included:

• dol-gov[.]com
• dol-gov[.]us
• bids-dolgov[.]us

The Objective of the Attack

The primary aim of these phishing emails is to deceive recipients into submitting their credentials by clicking on a button labeled “ongoing government projects,” which, in reality, do not exist. To lend credibility to the emails, they include a three-page PDF file. This document is designed to create an authentic appearance, with the second page containing a “BID” button that prompts users to access the DoL’s procedure portal. However, this button is a ruse that leads to a malicious link, complicating matters further as the attack does not consistently direct victims to the same domain.

Fake Domain Variants Identified by INKY:

• opendolbid[.]us
• dol-gov[.]com
• bid-dolgov[.]us
• us-dolbids[.]us
• dol-bids[.]us
• openbids-dolgov[.]us

After clicking the deceptive button, unsuspecting victims are directed to a convincingly real-looking website. Even when they fill out the fraudulent forms, the malicious actors have meticulously cloned the original site, making it nearly impossible to distinguish from the authentic one. They achieved this by replicating both the CSS and HTML codes of the genuine website, resulting in a visually identical experience.

The Ultimate Goal

Once the victim submits their credentials, they are prompted to log in with their Microsoft or business account information. In essence, this form is designed for ‘credential harvesting,’ tricking users into providing sensitive information.

Recommended Preventive Measures

Unfortunately, most articles on phishing scams offer generic advice to be cautious about clicking links, which I find frustrating since it is often impractical. If you cannot differentiate between a legitimate site and a counterfeit, such advice is not particularly helpful. Here are my top three recommendations:

1. Enable Two-Factor Authentication (2FA): This adds an extra layer of security. Even if your credentials are compromised, attackers won't be able to access your account without the code sent to your phone, which typically changes every 30–60 seconds.
2. Consult Your IT Provider: Ensure that your IT provider is up-to-date with best practices, including backing up emails. Scammers frequently delete mailboxes after stealing valuable information.
3. Conduct Phishing Education: Have your IT team implement fake phishing email tests to assess your team's awareness. If an employee clicks on one of these simulated phishing emails, they should automatically be enrolled in online training to improve their skills.

Creating these articles requires considerable effort and research. If you appreciate my content, please follow and give me a clap. Thank you!