Federal Government Contractors are the focus of this specific campaign with attackers attempting to obtain PII of the employees. While conducting research, a subdomain, transportation[.]gov[.]bidsync[.]kela[.] which includes the correct domain for the DOT was found. After clicking on the link, researchers were redirected to an alternate domain <hxxps://transportation[.]gov[.]qq-1[.]pw/V1/> which was strikingly similar to the legitimate page, but it was found to have three noticeable features that the other does not have. Those features consisted of a fake pop-up window named “Invitation for Bid” where the DOT is asking for the quotation from qualified contractors for ongoing projects that have a due date of February 25, 2019 and BID numbers: 0045620 and 0041378, a red box titled “Click here to bid” that redirects users to a fake login page to harvest their email address and password, and a slider box in the middle of the page that includes fake content announcing the Invitation to Bid and several pages with false contact details. After credentials are entered, users continue to receive a message that says, “Please Try Again, Sign in with your correct email.” It is unclear at this time if any contractors or how many have been affected by this campaign, but the situation is being monitored.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased