• Researchers discovered a malicious server hosting two separate phishing campaigns targeting federal government contractors.
  • Suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw is used to perform the campaigns.

Two separate phishing campaigns targeting US federal government contractors have been observed recently. The intent of the attackers is to lure the contractors into sending their personally identifiable information (PII).

What is the matter - Researchers at Anomali Labs have discovered a malicious server hosting two separate phishing campaigns targeting federal government contractors to do business with two US federal government agencies. On February 23, 2019, the researchers discovered suspicious-looking subdomain transportation[.]gov[.]bidsync[.]kela[.]pw that includes the legitimate domain for the US Department of Transportation (DOT).

How the campaign works - When users visit the domain in their web browsers, they are redirected to a phishing site located at <hxxps://transportation[.]gov[.]qq-1[.]pw/V1/>. The phishing site contains at least three components that are are not available on the legitimate DOT homepage:

  • A fake pop-up window named ‘Invitation for Bid’ where the DOT is asking for the quotation from qualified contractors for ongoing projects that have a due date of February 25, 2019 and BID numbers: 0045620 and 0041378.
  • A red box titled ‘Click here to bid’ that redirects users to a fake login page to harvest their email address and password.
  • A slider box in the middle of the page that includes fake content announcing the Invitation to Bid and several pages with false contact details.

Once the victims enter their credentials, they are presented with an error message that reads, ‘Please Try again, Sign in with your correct email’.

What can you do to protect yourself - The following steps can help users to protect themselves from such online bidding schemes:

  • Be cautious if you receive unsolicited communication from a federal government agency. Do not click on the links that come embedded in the email and claim to visit a site to submit a contract bid.
  • Check the legitimacy of the website address before revealing your credentials.
  • When in doubt, directly contact the contract representative of the government agency to confirm whether the site is legitimate or not.
Conclusion - Online bidding-themed phishing schemes have become a common attack vector to target contractors. Simple social engineering techniques are leveraged to deceive the victims and take away their credentials. Experts believe that attackers will perform similar types of attacks spoofing local, state and federal government agencies to target other institutions.
Cyware Publisher