Phishers Target Texas Department of Transportation Contractors with Online Bidding Scheme

<p>On February 15th, 2019, Anomali Labs researchers found an active phishing page masquerading as a legitimate Texas Department of Transportation (TxDOT) online bidding website. The illegitimate portal <hxxps: login[.]php="" secure="" user-login="" www[.]txdot[.]gov[.]us.e-bid.sync.auth.moovindancestudio[.]com=""> is being hosted on a suspected compromised server used by a North Carolina-based dance studio group.  The server resolves to a France-based IP address 62.210.201[.]8, which has been observed hosting multiple phishing sites in the past 30 days. The TLS certificate was issued by cPanel, Inc. Certification Authority on February 1st 2019 with a validity of 3 months. This could be a possible indication that the phishing campaign has been active since at least the beginning of February.</hxxps:></p><p>When navigating to the URL, the user is presented with a site that replicates the legitimate TxDOT website.  The following message is prescribed to the visitor:</p><p>“WE HAVE SELECTED YOUR COMPANY TO SUBMIT A BID ON THE FOLLOWING PROJECT PLEASE CLICK ON THE BID BUTTON TO COMMUNICATE YOUR PRIVATE PORTAL</p><p>ALL QUESTIONS CONCERNING THE PREPARATION OF QUOTATION SHOULD BE SUBMITTED BY EMAIL TO PROCUREMENT{at}TEXAS-GOV[.]US BY CLOSE OF BUSINESS FEBRUARY 28TH, 2019”</p><p>The short validity period of the TLS certificate (3 months) and the web page welcome content, which indicates that the visitor has only until the 28th of February to query quotation preparation, highlights the short-expected lifespan of this campaign. The inclusion of a short-term deadline is also a common tactic employed by phishers and scammers to invoke a sense of urgency on the targeted victims.</p><p style="text-align: center;"><em><img alt="TxDOT Procurement Portal" src="https://cdn.filestackcontent.com/X8FVDiQRfe3tY3rbFVgc"/><br/> Figure 1. Illegitimate landing page for TxDOT Procurement Portal</em></p><p>A “Click here to Bid” button loads a form element when selected which prompts the user to enter their personal email address (Microsoft Outlook, Gmail, Office 465, Yahoo, or AOL) and password. This is requested so the victim can receive a “Bid ID”. A ‘Accept Terms and conditions’ checkbox is included to add legitimacy:</p><p style="text-align: center;"><em><img alt="" src="https://cdn.filestackcontent.com/RZQfRwu9TdyqEZzi3xXI"/><br/> Figure 2. Sign in prompt to snare email credentials</em></p><p>Regardless of the validity of the data which is inserted into the form, the following is returned upon selecting “Sign in”:</p><p style="text-align: center;"><em><img alt="" src="https://cdn.filestackcontent.com/2BOYLxZ8TCqGG3pLxL8N"/><br/> Figure 3. Wrong password response when the user inserts credentials</em></p><p>As per commonly observed credential harvesting websites, the cyber threat actor at this stage has now captured the inserted victim credentials. Anomali Labs assesses with moderate confidence that this attack is being used to acquire access to commercial Texas entities to obtain further personal/corporate access or data, to sell the credentials to other cyber threat actors or groups, and/or use to extort the victims whom were susceptible to the lure.</p><h2>Defending Against Phishing and Credential Harvesting Sites</h2><h3>Enterprises</h3><p><strong>Domain Takedowns</strong> - The first step in protecting your brand is to register your trademark.  Trademark owners have the right to submit takedowns of fraudulent domains via Registrars and Hosting Providers by filing a complaint with these organisations.  Another right of the trademark owner is entering into the Uniform Domain-Name Dispute Resolution-Policy (UDRP) by filing a Uniform Rapid Suspension (URS) complaint with the World Intellectual Property Organisation (WIPO) to takedown the offending domains.  A friendly reminder, organisations need to first register your trademarked brand with the Trademark Clearinghouse (TMCH), which is ICANN’s database of protected trademarks before submitting the URS complaint.</p><p><strong>Browser Vendor Reporting</strong> - If you come across a phishing or malware site and followed the takedown options with no success, or a delay in the offending domains removal, consider reporting it to a Google and Microsoft.  Reporting these malicious sites could allow other users to receive security warnings before visiting the site and possibly prevent infection or credential exposure.</p><ul><li><a href="https://safebrowsing.google.com/safebrowsing/report_phish/?hl=en" target="_blank">Google SafeBrowsing</a></li><li><a href="https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site-guest" target="_blank">Microsoft</a></li></ul><p><strong>Threat hunting</strong> - Proactively search for targeted activity considering relevant and timely cyber threat information and intelligence.</p><p><strong>Cybersecurity awareness program</strong> - If not already in place, consider implementing a plan to continually train and educate all staff members on the dangers of social engineering attacks. Reward staff appropriately for observing the teachings.</p><p><strong>Brand Protection Solutions</strong> - Invest in a comprehensive brand monitoring solution that includes suspicious domain registrations and phishing site detection to track, investigate, and remediate targeted adversarial activity.</p><p><strong>Situational Awareness</strong> - Consider staying abreast of the latest cyber security threat developments by subscribing to the <a href="https://www.anomali.com/community">Anomali Weekly Threat Briefing</a> and other cyber news articles and blogs.</p><p><strong>Information Sharing and Analysis Center (ISAC)/Security Interest Group</strong> - Upon being alerted on such incidents, where possible, the indicators such as sender email address, sender’s IP address, embedded hyperlinks, malicious file attachments, and tactics, techniques, and procedures (TTPs) should be shared amongst trusted partners via a secure channel such as an ISAC or relevant security interest group. <a href="https://www.anomali.com/isacs-sharing">More information can be found here.</a></p><h3>Individuals</h3><p>Do not click on links or open attachments in email messages if they are unsolicited or look suspicious. Seek to validate the authenticity of the message by contacting the sender organisation via a verified phone number or contact email address.</p><p>Always check the URL of the website and make sure that it belongs to the brand. Type the domain name of your brand’s website directly into your browser’s address bar rather than following any link.</p><p>Use strong and unique passwords, a password manager can help store them securely. This will lower the scope of exposure should one password be accessed by a cyber threat actor. Where available use two-factor authentication (multi-factor authentication (MFA)).</p><p>Consider investing in a secure router which provides web filtering of known illegitimate websites.</p><h2>Conclusion</h2><p>Phishing campaigns utilizing replica web pages of legitimate organizations and corporate entities continue to be a favorable threat vector for cyber criminals. In this instance, there is a very low-cost barrier to initiate this campaign:</p><ul><li>A free TLS Certificate was generated and applied to add legitimacy to the web page.</li><li>It is assumed that email was used as the delivery mechanism to publicize the site to the target individual(s) which obviously incurs no explicit charge.</li><li>The subdomain was crafted from a vulnerable domain which meant the attacker did not need to purchase a new domain. This is also preferable as domain age is an established detection variable for website reputation. Therefore the cyber threat actor is leveraging the existing valid lifespan of the domain.</li></ul><p>Anomali Labs recommend following the above threat mitigation guidance in the continual fight against cyber criminality.</p><p>All organizations identified in this analysis have been promptly informed of this threat prior to release of this blog post.</p><h2>References</h2><ul><li><a href="https://urlscan.io/result/f30bb5ee-0aec-427e-8038-957bef2baadc/" target="_blank">URLScan</a></li><li><a href="https://www.virustotal.com/#/url/e152d68f6e63246c7e65da7f3e7a8c25aa067c0ab848e6c1b80abb09c1c22096/detection" target="_blank">VirusTotal</a></li><li><a href="https://www.hybrid-analysis.com/sample/49dec00841db85483dab2d331c48f1f5e705796a7acd0795a95fa54cd512ff0a?environmentId=100" target="_blank">Hybrid Analysis</a></li></ul>