Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors

Online Bidding-Themed Phishing Campaigns Aims to Trick U.S. Federal Government Contractors

February 25, 2019 | Anomali Labs

In late February 2019, Anomali Labs researchers discovered a malicious server hosting two separate phishing campaigns targeting government contractors desiring to do business with two U.S. federal government agencies. In both instances, the phisher created faux landing pages mimicking the Department of Transportation eProcurement login portal and the Department of Labor home page to lure federal contractors into sending their personally identifiable information (PII) to the threat actor. Upon discovery, Anomali Labs submitted the fraudulent sites for blacklisting consideration with Google Safe Browsing and Microsoft Windows Defender Security Intelligence.

U.S. Department of Transportation Online Bidding Phishing Scheme

On February 23, 2019, Anomali Labs found a suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw containing the legitimate domain transportation.gov for the U.S. Department of Transportation (DOT). When users visit the domain in their web browsers, they are redirected to a phishing site located at <hxxps://transportation[.]gov[.]qq-1[.]pw/V1/> that is designed to appear as a DOT eProcurement portal. However, the site contains at least three components dissimilar to the legitimate DOT homepage:

  1. A pop-up window titled “Invitation for Bid” where purportedly the DOT is seeking quotations from qualified contractors (RFQ) for ongoing government projects with a due date of February 25, 2019 and BID numbers: 0045620 and 0041378. Additionally, it informs interested parties to send an email to the acting manager Leonardo San Roman (email: leonardo.sanroman{at}dot-gov[.]us). A review of the DOT website confirmed Mr. San Roman is a DOT employee working as the Acting Manager for the DOT Office of Small and Disadvantaged Business Utilization’s Procurement Assistance Division; however, legitimate DOT emails end in @dot.gov (See Figure 1).
  2. A red box in the middle of the screen titled “Click here to bid” that redirects users to a faux login page to harvest their email address and password (See Figure 2).
  3. A slider box in the middle of the page with faux content announcing the Invitation to Bid and several pages with false contact details and information (See Figure 3).

Fake landing page for U.S. Department of Transportation eProcurement Portal
Figure 1. Fake landing page for U.S. Department of Transportation eProcurement Portal

Pop-up window requesting login credentials
Figure 2. Pop-up window requesting login credentials

Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site
Figure 3. Consolidated content from slider box on faux U.S. Department of Transportation online bidding-themed phishing site

Indicator Expansion

The server hosting the phishing site transportation[.]gov[.]qq-1[.]pw had a self-signed TLS certificate (SN: 0326F75810AC41651CC5EBC6006D7F64F7B0) installed issued by Let’s Encrypt, a free certificate provider, with a validity period of three months starting on February 21, 2019 and ending on May 22, 2019. This could be a possible indication that the phishing campaign has been active beginning on or around February 21. At the time of this report, the server resolved to a shared IP address 107.180.54[.]250 (AS26496 - GoDaddy) located in the United States that also hosts numerous other suspicious and malicious sites. A particular site of interest dol[.]gov[.]qq-1[.]pw used the domain name dol.gov in its naming convention, which is the U.S. Department of Labor’s parent domain and main website.

U.S. Department of Labor Phishing Campaign

When navigating to the fraudulent hostname dol[.]gov[.]qq-1[.]pw, users are presented with a spoofed DOL page located at <hxxps://dol[.]gov[.]qq-1[.]pw/V1/. The spoofed site is a cloned version of the DOL mainpage with an additional feature, a red highlighted box with the words “Click here to bid”, located in the middle of the site (See Figure 4). Once users click to bid on the contract, a pop-up window for a login page appears that requests the potential victim’s email address and password (See Figure 5). However, once the victim has entered their credentials, they are presented with the following error message "Please Try again, Sign in with your correct email".

Fake landing page
Figure 4. Fake landing page for U.S. Department of Labor

Pop-up window requesting login credentials
Figure 5. Pop-up window requesting login credentials

Error message displayed once entering user credentials
Figure 6. Error message displayed once entering user credentials

A Closer Look at Domain Name dot-gov[.]us

The domain dot-gov[.]us was registered on December 7, 2018 with Registrar Namecheap to a suspected cybersquatter from Grover, Pennsylvania named David Paris who uses the email address davuchi001{at}gmail[.]com. Of note, this domain has changed ownership multiple times since being originally created on June 13, 2013. A reverse Whois lookup of this registrant name and email address uncovered a combined total of 133 related domains. An intriguing finding while reviewing these domains, there were at least seven sites targeting multiple government agencies from the U.S. Federal Government and four state governments.

Suspicious DomainSpoofed Legitimate SiteSpoofed Government Agency
gov[.]ususa.govFederal Government of the United States
virginiagov[.]usvirginia.govState of Virginia
tngov[.]ustn.govState of Tennessee
mncppc-org[.]usmncppc.orgMaryland-National Capital Park and Planning Commission (M-NCPPC)
montgomeryparks-org[.]usmontgomeryparks.orgMontgomery (Maryland) County Department of Parks
idoa-gov[.]uswww.in.gov/idoa/Indiana Department of Administration
in-gov[.]usin.govState of Indiana

Table 1. Suspicious-looking domains mimicking agencies from the U.S. federal government and four U.S. state governments

Defending Against Online Bidding Schemes

  • Be wary if you receive an unsolicited communication from a federal government agency and do not click on embedded hyperlinks within the message claiming to visit a website to submit a contract bid or download a file attachment from the untrusted source as most likely the hyperlink within the file is malicious.
  • Do not blindly trust the padlock feature at the top left of the website address bar as threat actors can easily obtain a free TLS/SSL certificate to make the site appear it is coming from a trusted source.
  • Inspect the website address to ensure that it is indeed from the legitimate government agency and not a fraudulent actor concealing their presence using the legitimate agency’s domain name as a subdomain of a malicious site.
  • When in doubt, directly contact the contract representative of the government agency to confirm the legitimate website prior to submitting the necessary paperwork. Reminder do not use the contact details provided in unsolicited messages as they are most likely to be fraudulent.
  • All levels of government should invest in a domain monitoring service that can detect and alert on domains and subdomains mimicking their agencies. Once discovered, the government agency security personnel should work on taking down the offending domains and websites to prevent their employees, citizens, and third-parties from becoming victimizing in a social engineering attack.

Conclusion

Online bidding-themed phishing schemes is a common technique employed by threat actors to steal account credentials from contractors looking to conduct business with local, state, and federal government agencies. Although, we were unable to reveal a phishing email for this case, the use of spoofed email address of legitimate government employees is a likely sign that threat actors social engineer contractors with email-based attacks. We expect to see similar types of attacks spoofing local, state, and federal government agencies for the long-term and will continue to track and report on the latest campaigns.

References

Appendix A - Indicators of Compromise

IndicatorDescription
transportation[.]gov[.]qq-1[.]pwPhishing hostname mimicking U.S. Department of Transportation
transportation[.]gov[.]bidsync[.]kela[.]pwPhishing hostname mimicking U.S. Department of Transportation
www[.]transportation[.]gov[.]bid-sync[.]kela[.]pwPhishing hostname mimicking U.S. Department of Transportation
dol[.]gov[.]qq-1[.]pwPhishing hostname mimicking U.S. Department of Labor
www[.]dol[.]gov[.]bid-sync[.]eq1[.]pwPhishing hostname mimicking U.S. Department of Labor
hxxps://transportation[.]gov[.]qq-1[.]pwOnline bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V2/Online bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]bidsync[.]kela[.]pwOnline bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://transportation[.]gov[.]qq-1[.]pw/V1/index2[.]htmlError message page displayed after entering email address and password to U.S. Department of Transportation online-bidding themed phishing site
https://www[.]transportation[.]gov[.]bid-sync[.]kela[.]pwOnline bidding-themed phishing site mimicking U.S. Department of Transportation
hxxps://dol[.]gov[.]qq-1[.]pw/V1/Online bidding-themed phishing site mimicking U.S. Department of Labor
hxxps://dol[.]gov[.]qq-1[.]pw/V1/index2[.]htmlError message page displayed after entering email address and password to U.S. Department of Labor online-bidding themed phishing site
dot-gov[.]usSuspicious-looking domain mimicking the U.S. Department of Transportation and potentially used to send out phishing emails
leonardo.sanroman{at}dot-gov[.]usFraudulent email address used to spoof a legitimate U.S. Department of Transportation employee
martha.kenley{at}dot-gov[.]usFraudulent email address used to spoof a legitimate U.S. Department of Transportation employee
gov[.]usFederal Government of the United States
virginiagov[.]usState of Virginia
tngov[.]usState of Tennessee
mncppc-org[.]usMaryland-National Capital Park and Planning Commission (M-NCPPC)
montgomeryparks-org[.]usMontgomery (Maryland) County Department of Parks
idoa-gov[.]usIndiana Department of Administration
in-gov[.]usState of Indiana
davuchi001{at}gmail[.]comSuspected cybersquatter named David Paris that has registered domain name variants mimicking U.S. federal and state government agencies
0326F75810AC41651CC5EBC6006D7F64F7B0Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Transportation phishing site
03746833DFB154E77CD94E1B756A95347CE5Serial number for TLS/SSL certificate installed on server hosting U.S. Department of Labor phishing site

Appendix B - Whois Record for dot-gov[.]us

Appendix B - Whois Record for dot-gov[.]us

Anomali Labs
About the Author

Anomali Labs

Get the latest threat intelligence news in your email.