<p>In late February 2019, Anomali Labs researchers discovered a malicious server hosting two separate phishing campaigns targeting government contractors desiring to do business with two U.S. federal government agencies. In both instances, the phisher created faux landing pages mimicking the Department of Transportation eProcurement login portal and the Department of Labor home page to lure federal contractors into sending their personally identifiable information (PII) to the threat actor. Upon discovery, Anomali Labs submitted the fraudulent sites for blacklisting consideration with <a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safe Browsing</a> and <a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft Windows Defender Security Intelligence</a>.</p><h2>U.S. Department of Transportation Online Bidding Phishing Scheme</h2><p>On February 23, 2019, Anomali Labs found a suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw containing the legitimate domain transportation.gov for the U.S. Department of Transportation (DOT). When users visit the domain in their web browsers, they are redirected to a phishing site located at <hxxps: transportation[.]gov[.]qq-1[.]pw="" v1=""></hxxps:> that is designed to appear as a DOT eProcurement portal. However, the site contains at least three components dissimilar to the legitimate DOT homepage:</p><ol><li>A pop-up window titled “Invitation for Bid” where purportedly the DOT is seeking quotations from qualified contractors (RFQ) for ongoing government projects with a due date of February 25, 2019 and BID numbers: 0045620 and 0041378. Additionally, it informs interested parties to send an email to the acting manager Leonardo San Roman (email: leonardo.sanroman{at}dot-gov[.]us). A review of the DOT website confirmed Mr. San Roman is a DOT employee working as the Acting Manager for the DOT Office of Small and Disadvantaged Business Utilization’s Procurement Assistance Division; however, legitimate DOT emails end in @dot.gov (See Figure 1).</li><li>A red box in the middle of the screen titled “Click here to bid” that redirects users to a faux login page to harvest their email address and password (See Figure 2).</li><li>A slider box in the middle of the page with faux content announcing the Invitation to Bid and several pages with false contact details and information (See Figure 3).</li></ol><p style="text-align: center;"><em><img alt="Fake landing page for U.S. Department of Transportation eProcurement Portal" src="https://cdn.filestackcontent.com/DzYOSqKhQ1aW4oUYPMJR"/><br/> Figure 1. Fake landing page for U.S. Department of Transportation eProcurement Portal</em></p><p style="text-align: center;"><em><img alt="Pop-up window requesting login credentials" src="https://cdn.filestackcontent.com/wehOjLU0SZ2l0QRWOY2A"/><br/> Figure 2. Pop-up window requesting login credentials</em></p><p style="text-align: center;"><em><img alt="Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site" src="https://cdn.filestackcontent.com/flbvHEOpTG6ezniIMSwB"/><br/> Figure 3. Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site</em></p><h2>Indicator Expansion</h2><p>The server hosting the phishing site transportation[.]gov[.]qq-1[.]pw had a self-signed TLS certificate (SN: 0326F75810AC41651CC5EBC6006D7F64F7B0) installed issued by Let’s Encrypt, a free certificate provider, with a validity period of three months starting on February 21, 2019 and ending on May 22, 2019. This could be a possible indication that the phishing campaign has been active beginning on or around February 21. At the time of this report, the server resolved to a shared IP address 107.180.54[.]250 (AS26496 - GoDaddy) located in the United States that also hosts numerous other suspicious and malicious sites. A particular site of interest dol[.]gov[.]qq-1[.]pw used the domain name dol.gov in its naming convention, which is the U.S. Department of Labor’s parent domain and main website.</p><h2>U.S. Department of Labor Phishing Campaign</h2><p>When navigating to the fraudulent hostname dol[.]gov[.]qq-1[.]pw, users are presented with a spoofed DOL page located at <hxxps: "please="" (see="" .="" 4).="" 5).="" a="" additional="" address="" again,="" an="" and="" appears="" are="" bid="" bid”,="" box="" click="" cloned="" contract,="" correct="" credentials,="" dol="" dol[.]gov[.]qq-1[.]pw="" email="" email".<="" entered="" error="" feature,="" figure="" following="" for="" has="" here="" highlighted="" however,="" in="" is="" located="" login="" mainpage="" message="" middle="" of="" on="" once="" p="" page="" password="" pop-up="" potential="" presented="" red="" requests="" sign="" site="" spoofed="" that="" the="" their="" they="" to="" try="" users="" v1="" version="" victim="" victim’s="" window="" with="" words="" your="" “click=""><p style="text-align: center;"><em><img alt="Fake landing page" src="https://cdn.filestackcontent.com/hvuEfcqRaWU8SxJlIuc8"/><br/> Figure 4. Fake landing page for U.S. Department of Labor</em></p><p style="text-align: center;"><em><img alt="Pop-up window requesting login credentials" src="https://cdn.filestackcontent.com/vdiX9BDQR2ql8VMex2em"/><br/> Figure 5. Pop-up window requesting login credentials</em></p><p style="text-align: center;"><em><img alt="Error message displayed once entering user credentials" src="https://cdn.filestackcontent.com/0OUkeGFRTaSjTfzQ9nNr"/><br/> Figure 6. Error message displayed once entering user credentials</em></p><h2>A Closer Look at Domain Name dot-gov[.]us</h2><p>The domain dot-gov[.]us was registered on December 7, 2018 with Registrar Namecheap to a suspected cybersquatter from Grover, Pennsylvania named David Paris who uses the email address davuchi001{at}gmail[.]com. Of note, this domain has changed ownership multiple times since being originally created on June 13, 2013. A reverse Whois lookup of this registrant name and email address uncovered a combined total of 133 related domains. An intriguing finding while reviewing these domains, there were at least seven sites targeting multiple government agencies from the U.S. Federal Government and four state governments.</p><table class="table table-bordered table-striped" style="table-layout:fixed"><thead><tr><th>Suspicious Domain</th><th>Spoofed Legitimate Site</th><th>Spoofed Government Agency</th></tr></thead><tbody><tr><td style="word-wrap: break-word">gov[.]us</td><td style="word-wrap: break-word">usa.gov</td><td>Federal Government of the United States</td></tr><tr><td style="word-wrap: break-word">virginiagov[.]us</td><td style="word-wrap: break-word">virginia.gov</td><td>State of Virginia</td></tr><tr><td style="word-wrap: break-word">tngov[.]us</td><td style="word-wrap: break-word">tn.gov</td><td>State of Tennessee</td></tr><tr><td style="word-wrap: break-word">mncppc-org[.]us</td><td style="word-wrap: break-word">mncppc.org</td><td>Maryland-National Capital Park and Planning Commission (M-NCPPC)</td></tr><tr><td style="word-wrap: break-word">montgomeryparks-org[.]us</td><td style="word-wrap: break-word">montgomeryparks.org</td><td>Montgomery (Maryland) County Department of Parks</td></tr><tr><td style="word-wrap: break-word">idoa-gov[.]us</td><td style="word-wrap: break-word">www.in.gov/idoa/</td><td>Indiana Department of Administration</td></tr><tr><td style="word-wrap: break-word">in-gov[.]us</td><td style="word-wrap: break-word">in.gov</td><td>State of Indiana</td></tr></tbody></table><p style="text-align: center;"><em>Table 1. Suspicious-looking domains mimicking agencies from the U.S. federal government and four U.S. state governments</em></p><h2>Defending Against Online Bidding Schemes</h2><ul><li>Be wary if you receive an unsolicited communication from a federal government agency and do not click on embedded hyperlinks within the message claiming to visit a website to submit a contract bid or download a file attachment from the untrusted source as most likely the hyperlink within the file is malicious.</li><li>Do not blindly trust the padlock feature at the top left of the website address bar as threat actors can easily obtain a free TLS/SSL certificate to make the site appear it is coming from a trusted source.</li><li>Inspect the website address to ensure that it is indeed from the legitimate government agency and not a fraudulent actor concealing their presence using the legitimate agency’s domain name as a subdomain of a malicious site.</li><li>When in doubt, directly contact the contract representative of the government agency to confirm the legitimate website prior to submitting the necessary paperwork. Reminder do not use the contact details provided in unsolicited messages as they are most likely to be fraudulent.</li><li>All levels of government should invest in a domain monitoring service that can detect and alert on domains and subdomains mimicking their agencies. Once discovered, the government agency security personnel should work on taking down the offending domains and websites to prevent their employees, citizens, and third-parties from becoming victimizing in a social engineering attack.</li></ul><h2>Conclusion</h2><p>Online bidding-themed phishing schemes is a common technique employed by threat actors to steal account credentials from contractors looking to conduct business with local, state, and federal government agencies. Although, we were unable to reveal a phishing email for this case, the use of spoofed email address of legitimate government employees is a likely sign that threat actors social engineer contractors with email-based attacks. We expect to see similar types of attacks spoofing local, state, and federal government agencies for the long-term and will continue to track and report on the latest campaigns.</p><h2>References</h2><ul><li><a href="https://www.transportation.gov/" target="_blank">U.S. Department of Transportation</a></li><li><a href="https://www.transportation.gov/osdbu/our-team/leonardo-san-roman" target="_blank">U.S. Department of Transportation</a></li><li><a href="https://www.dol.gov/" target="_blank">U.S. Department of Labor</a></li><li>URL Scan</li><li><a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google Safe Browsing</a></li><li><a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft Windows Defender Security Intelligence</a></li></ul><h3>Appendix A - Indicators of Compromise</h3><table class="table table-bordered table-striped" style="table-layout:fixed"><tbody><tr><th>Indicator</th><th>Description</th></tr><tr><td style="word-wrap: break-word">transportation[.]gov[.]qq-1[.]pw</td><td style="word-wrap: break-word">Phishing hostname mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">transportation[.]gov[.]bidsync[.]kela[.]pw</td><td style="word-wrap: break-word">Phishing hostname mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw</td><td style="word-wrap: break-word">Phishing hostname mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">dol[.]gov[.]qq-1[.]pw</td><td style="word-wrap: break-word">Phishing hostname mimicking U.S. Department of Labor</td></tr><tr><td style="word-wrap: break-word">www[.]dol[.]gov[.]bid-sync[.]eq1[.]pw</td><td style="word-wrap: break-word">Phishing hostname mimicking U.S. Department of Labor</td></tr><tr><td style="word-wrap: break-word">hxxps://transportation[.]gov[.]qq-1[.]pw</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">hxxps://transportation[.]gov[.]qq-1[.]pw/V1/</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">hxxps://transportation[.]gov[.]qq-1[.]pw/V2/</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">hxxps://transportation[.]gov[.]bidsync[.]kela[.]pw</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">hxxps://transportation[.]gov[.]qq-1[.]pw/V1/index2[.]html</td><td style="word-wrap: break-word">Error message page displayed after entering email address and password to U.S. Department of Transportation online-bidding themed phishing site</td></tr><tr><td style="word-wrap: break-word">https://www[.]transportation[.]gov[.]bid-sync[.]kela[.]pw</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Transportation</td></tr><tr><td style="word-wrap: break-word">hxxps://dol[.]gov[.]qq-1[.]pw/V1/</td><td style="word-wrap: break-word">Online bidding-themed phishing site mimicking U.S. Department of Labor</td></tr><tr><td style="word-wrap: break-word">hxxps://dol[.]gov[.]qq-1[.]pw/V1/index2[.]html</td><td style="word-wrap: break-word">Error message page displayed after entering email address and password to U.S. Department of Labor online-bidding themed phishing site</td></tr><tr><td style="word-wrap: break-word">dot-gov[.]us</td><td style="word-wrap: break-word">Suspicious-looking domain mimicking the U.S. Department of Transportation and potentially used to send out phishing emails</td></tr><tr><td style="word-wrap: break-word">leonardo.sanroman{at}dot-gov[.]us</td><td style="word-wrap: break-word">Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee</td></tr><tr><td style="word-wrap: break-word">martha.kenley{at}dot-gov[.]us</td><td style="word-wrap: break-word">Fraudulent email address used to spoof a legitimate U.S. Department of Transportation employee</td></tr><tr><td style="word-wrap: break-word">gov[.]us</td><td style="word-wrap: break-word">Federal Government of the United States</td></tr><tr><td style="word-wrap: break-word">virginiagov[.]us</td><td style="word-wrap: break-word">State of Virginia</td></tr><tr><td style="word-wrap: break-word">tngov[.]us</td><td style="word-wrap: break-word">State of Tennessee</td></tr><tr><td style="word-wrap: break-word">mncppc-org[.]us</td><td style="word-wrap: break-word">Maryland-National Capital Park and Planning Commission (M-NCPPC)</td></tr><tr><td style="word-wrap: break-word">montgomeryparks-org[.]us</td><td style="word-wrap: break-word">Montgomery (Maryland) County Department of Parks</td></tr><tr><td style="word-wrap: break-word">idoa-gov[.]us</td><td style="word-wrap: break-word">Indiana Department of Administration</td></tr><tr><td style="word-wrap: break-word">in-gov[.]us</td><td style="word-wrap: break-word">State of Indiana</td></tr><tr><td style="word-wrap: break-word">davuchi001{at}gmail[.]com</td><td style="word-wrap: break-word">Suspected cybersquatter named David Paris that has registered domain name variants mimicking U.S. federal and state government agencies</td></tr><tr><td style="word-wrap: break-word">0326F75810AC41651CC5EBC6006D7F64F7B0</td><td style="word-wrap: break-word">Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Transportation phishing site</td></tr><tr><td style="word-wrap: break-word">03746833DFB154E77CD94E1B756A95347CE5</td><td style="word-wrap: break-word">Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Labor phishing site</td></tr></tbody></table><h3>Appendix B - Whois Record for dot-gov[.]us</h3><p style="text-align: center;"><img alt="Appendix B - Whois Record for dot-gov[.]us" src="https://cdn.filestackcontent.com/czbHuooQaiPdpf8oPYZk"/></p></hxxps:></p>