In mid-August, the U.S. Senate passed a $1 trillion infrastructure bill and threat actors wasted no time trying to capitalize on it. Between August 16th-18th, a report by INKY, a security company specializing in spam email campaigns, identified 41 phishing emails impersonating the U.S. Department of Transportation (USDOT). The threat actors used a combination of tactics to evade detections including creating new domains that mimic federal websites.
The campaign included emails sent to employees at companies in the engineering, energy, and architecture industries that impersonated the USDOT. The email included an invitation to submit a bid for a department project and a blue button with the words “CLICK HERE TO BID”. Victims that clicked on the button were redirected to another seemingly normal site with subdomains like “transportation” and “gov”, but the base domain akjackpot[.]com. According to INKY, this domain hosts what may or may not be an online casino that appears to cater to Malaysians. Victims were then told to sign in with their email provider to connect to the network for bidding.
After victims entered their credentials, they are shown a ReCAPTCHA challenge, but they were then met with a fake error message and then redirected to the real USDOT website. By this point, the credentials were already sent to the phishers.