Researchers have discovered phishing campaigns mimicking US government bidding sites and procurement portals in a bid to scam federal contractors.
On Monday, Anomali Labs researchers said the phishing schemes were detected in late February, in which a malicious server was found to be hosting two separate campaigns.
The schemes have been designed to fool government contractors seeking to do business with federal agencies and, upon first look, appear to display eProcurement login portals belonging to the US Department of Transportation (DOT) and the Department of Labor.
The malicious domains have been well-crafted. The fake DOT was found by way of transportation.gov.bidsync.kela.pw which directed visitors to the phishing website, transportation.gov.qq-1.pw/V1.
The DOT website brings up a window with an "Invitation for Bid" message which claims that federal groups are seeking quotes from qualified contractors.
An email address is included for a real, existing federal employee ending in @dot-gov.us. Legitimate DOT email addresses end with @dot.gov, a small difference which may not be known or noticed by victims.
In order to bid, users click a button which directs them to a fake login page which harvests their email address and password, which would be used for legitimate procurement domains. False contact information is also displayed.
The server hosting this malicious domain has been self-signed with a certificate issued by Let's Encrypt which has a validity period between 21 February 2019 and 22 May 2019, which suggests that the phishing scheme may only be recently active.
In terms of the US Department of Labor fraudulent domain, dol.gov.qq-1.pw, is a clone of the legitimate website with the same "Invitation for Bid" message that also points victims towards a page which harvests credentials. If users submit their information they are displayed with an error message.
TechRepublic: Why AI and ML are not cybersecurity solutions--yet
Upon further examination, Anomali found a total of seven sites targeting US federal agencies and state governments which have domain names registered in the same way, including tngov.us -- the State of Tennessee -- gov.us -- the Federal Government of the United States -- and idoa-gov.us, the Indiana Department of Administration.
Anomali was unable to source a phishing email to determine the range and volume of campaigns tied to the malicious domains or to track who may be responsible, but the company expects to see similar schemes launched against local, state, and federal government agencies in the long-term.