In mid-August, the U.S. Senate passed a $1 trillion infrastructure bill and threat actors wasted no time trying to capitalize on it. Between August 16th-18th, a report by INKY, a security company specializing in spam email campaigns, identified 41 phishing emails impersonating the U.S. Department of Transportation (USDOT). The threat actors used a combination of tactics to evade detections including creating new domains that mimic federal websites.
The campaign included emails sent to employees at companies in the engineering, energy, and architecture industries that impersonated the USDOT. The email included an invitation to submit a bid for a department project and a blue button with the words “CLICK HERE TO BID”. Victims that clicked on the button were redirected to another seemingly normal site with subdomains like “transportation” and “gov”, but the base domain akjackpot[.]com. According to INKY, this domain hosts what may or may not be an online casino that appears to cater to Malaysians. Victims were then told to sign in with their email provider to connect to the network for bidding.
After victims entered their credentials, they are shown a ReCAPTCHA challenge, but they were then met with a fake error message and then redirected to the real USDOT website. By this point, the credentials were already sent to the phishers.
Analyst Notes
Standard email security tools are necessary for all organizations, but they are not always sufficient. If a malicious email does get past defenses, using caution with any links or attachments in emails where the sender is not recognized can ensure attacks can’t take place. Utilizing endpoint monitoring is a great defense if a suspicious link does get clicked on. Binary Defense’s Managed Detection and Response identifies anomalous behavior if any malware is deployed on an endpoint and our 24/7 team can help mitigate the attack.
https://www.inky.com/blog/attackers-impersonate-u.s.-department-of-transportation-to-harvest-microsoft-credentials