On January 9, 2019, Anomali Labs observed a new tender-themed phishing scam targeting companies allegedly selected by the Australian Government to submit tenders for commercial projects. The document purports to be from the Secretary of Infrastructure and Regional Development, Dr. Steven Kennedy. The premise behind the scam is to lure users into disclosing their account credentials by registering for eligibility to bid on commercial projects in 2019.
Presumably, recipients received a spam or phishing email containing a seemingly benign notification letter “Australia Tender Invitation.pdf” requesting they submit a tender. The file instructs the recipient to click on the “Tender” button to register at the Department's online portal using their email account (See Figure 1).
Figure 1. Phishing Document Disguised as a Tender Notification Letter
When users click on the link, they are provided with a replica of the the Department of Infrastructure, Regional Development, and Cities registration page designed to steal the user’s login credentials. The site requests companies to click on the “Click here to Tender” button located in the middle of page, which leads to an illegitimate private portal for registering and submitting the tender. To invoke a sense of urgency, the site claims that the deadline for tender submissions is no later than January 28th, 2019.
Figure 2. Screenshot of Online Tender-Themed Phishing Site Targeting Australian Government Contractors
Anomali recommends the following guidelines for reducing the threat of Tender-related phishing messages:
At this time there are no known compromises; however, it would be advisable for individuals and companies interested in pursuing government contracts be wary of unsolicited emails claiming to be from the Australian Government Department of Infrastructure and Regional Development. It would also be prudent for all government entities to ensure adequate messaging is presented to make prospective bidders aware of the correct procedures when applying for tenders or bids and provide relevant security warnings of such illegitimate phishing scam campaigns. Anomali Labs expects to see Tender- and Bidding-themed phishing scams targeting organizations involved in government contracting to continue in 2019 and will report on any new scams as we are made aware of them.
The below represents the indicators of compromise, we have observed in this latest phishing scam:
|166f372483a3cb9d2d9292e9bb33b85f||MD5||Phishing Document named Australia Tender Invitation.pdf|
|d031b743379d13cc9eb9cf7e8013be2af2105ad7||SHA-1||Phishing Document named Australia Tender Invitation.pdf|
|5817ff2a94b366ce3acd8b827e687690e9ade73ad21f6240edcfc588c4d04ba6||SHA-256||Phishing Document named Australia Tender Invitation.pdf|
|hxxp://infrastructure[.]gov[.]au[.]tender[.]portal[.]login[.]auth[.]polimatibd[.]com||URL||The Department of Infrastructure and Regional Development, Australian Government - Tender Portal Credential Harvesting Site|
|hxxps://www[.]infrastructure[.]gov[.]au[.]tender[.]portal[.]login[.]auth[.]instaxsupport[.]com/secure/user-login/login.php||URL||The Department of Infrastructure and Regional Development, Australian Government - Tender Portal Credential Harvesting Site|
|37.187.28[.]217||IP Address||Phishing Site Server IP Address|