Phishing Scam Lures Australian Government Contractors Into Disclosing Account Credentials

<p>On January 9, 2019, Anomali Labs observed a new tender-themed phishing scam targeting companies allegedly selected by the Australian Government to submit tenders for commercial projects. The document purports to be from the Secretary of Infrastructure and Regional Development, Dr. Steven Kennedy. The premise behind the scam is to lure users into disclosing their account credentials by registering for eligibility to bid on commercial projects in 2019.</p><p>Presumably, recipients received a spam or phishing email containing a seemingly benign notification letter “Australia Tender Invitation.pdf” requesting they submit a tender. The file instructs the recipient to click on the “Tender” button to register at the Department's online portal using their email account (See Figure 1).</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/AownxxreTDqMUwvR1ExP"/><br/> <strong>Figure 1. Phishing Document Disguised as a Tender Notification Letter</strong></p><p>When users click on the link, they are provided with a replica of the the Department of Infrastructure, Regional Development, and Cities registration page designed to steal the user’s login credentials. The site requests companies to click on the “Click here to Tender” button located in the middle of page, which leads to an illegitimate private portal for registering and submitting the tender. To invoke a sense of urgency, the site claims that the deadline for tender submissions is no later than January 28th, 2019.</p><p style="text-align: center;"><img alt="" src="https://cdn.filestackcontent.com/ILvnBDMQFmcT6RiP6pUA"/><br/> <strong>Figure 2. Screenshot of Online Tender-Themed Phishing Site Targeting Australian Government Contractors</strong></p><h2>Mitigating Fraudulent Government Tender Sites</h2><p>Anomali recommends the following guidelines for reducing the threat of Tender-related phishing messages:</p><ul><li>Ensure staff understand normal ways of working (especially regarding interaction with other organizations), so that they're better equipped to spot out of the ordinary requests. This can be accomplished by establishing a cyber security awareness programs with training on how to spot and treat a spam or phishing email.</li><li>Always be cautious regarding unsolicited emails that contain links and attachments. If in doubt, look to validate the legitimacy of the message by contacting the sender organization using an alternate method of contact e.g. using a verified phone number.</li><li>Check for telltale signs of phishing: Does the message have poor spelling, grammar and punctuation? Is it addressed to you by name, or does it have a generic reference e.g. “valued customer”, or “trusted contact”? This can be a sign that the sender does not actually know you, and that it is part of a phishing scam. Does the email contain a veiled threat that asks you to act urgently? If it sounds too good to be true, it probably is.</li><li>All organizations should look to employ best practice email authentication standards (SPF, DKIM, and DMARC) and deploy adequate filtering services. Ensuring these are optimized to deal with the latest cyber threat tactics, techniques, and procedures (TTPs).</li><li>Be conscious of your digital footprint. Cyber threat actors use publicly available information about you and your organisation to make their phishing messages more convincing and realistic. This is often gleaned from social media accounts, company websites, and media releases.</li><li>Consider staying abreast of the latest cyber security threat developments by subscribing to the <a href="https://www.anomali.com/community" target="_blank">Anomali Weekly Threat Briefing</a> and other cyber news articles.</li><li>Always report suspicious messages to the appropriate authorities and your organization’s information security point of contact. Upon being alerted on such incidents, where possible, the indicators such as sender email address, sender’s IP address, and tactics, techniques, and procedures (TTPs) should be shared amongst trusted partners via a secure channel such as an Information Sharing and Analysis Center (ISAC) or relevant security interest group. More information can be found <a href="https://www.anomali.com/isacs-sharing" target="_blank">here</a>.</li></ul><h2>Conclusion</h2><p>At this time there are no known compromises; however, it would be advisable for individuals and companies interested in pursuing government contracts be wary of unsolicited emails claiming to be from the Australian Government Department of Infrastructure and Regional Development.  It would also be prudent for all government entities to ensure adequate messaging is presented to make prospective bidders aware of the correct procedures when applying for tenders or bids and provide relevant security warnings of such illegitimate phishing scam campaigns. Anomali Labs expects to see Tender- and Bidding-themed phishing scams targeting organizations involved in government contracting to continue in 2019 and will report on any new scams as we are made aware of them.</p><h2>Observables</h2><p>The below represents the indicators of compromise, we have observed in this latest phishing scam:</p><table class="table table-bordered table-striped" style="width: 100%;"><thead><tr><th scope="col">Indicator</th><th scope="col">Indicator Type</th><th scope="col">Descriptiion</th></tr></thead><tbody><tr><td>166f372483a3cb9d​2d9292e9bb33b85f</td><td>MD5</td><td>Phishing Document named Australia Tender Invitation.pdf</td></tr><tr><td>d031b743379d13cc9eb9cf7e8013be2af2105ad7</td><td>SHA-1</td><td>Phishing Document named Australia Tender Invitation.pdf</td></tr><tr><td>5817ff2a94b366ce3a​cd8b827e687690e9a​de73ad21f6240edcf​c588c4d04ba6</td><td>SHA-256</td><td>Phishing Document named Australia Tender Invitation.pdf</td></tr><tr><td>hxxp://infrastructure[.]​gov[.]au[.]tender[.]​portal[.]login[.]auth[.]​polimatibd[.]com</td><td>URL</td><td>The Department of Infrastructure and Regional Development, Australian Government - Tender Portal Credential Harvesting Site</td></tr><tr><td>hxxps://www[.]infrastructure[.]​gov[.]au[.]tender[.]portal[.]​login[.]auth[.]instaxsupport​[.]com/secure/user-login​/login.php</td><td>URL</td><td>The Department of Infrastructure and Regional Development, Australian Government - Tender Portal Credential Harvesting Site</td></tr><tr><td>37.187.28[.]217</td><td>IP Address</td><td>Phishing Site Server IP Address</td></tr></tbody></table><h3>External Sources</h3><ul><li><a href="https://www.hybrid-analysis.com/sample/c7179e4e37fae82bf99280569b8a2fcae2c9701c5099020b0779a880a9c39744/5c33f5947ca3e147ca454fe5" target="_blank">Hybrid Analysis</a></li><li><a href="https://www.hybrid-analysis.com/sample/5817ff2a94b366ce3acd8b827e687690e9ade73ad21f6240edcfc588c4d04ba6?environmentId=120" target="_blank">Hybrid Analysis</a></li><li><a href="https://www.virustotal.com/#/file/5817ff2a94b366ce3acd8b827e687690e9ade73ad21f6240edcfc588c4d04ba6/details" target="_blank">VirusTotal</a></li></ul>