Phishers Impersonate U.S. Transportation Department to Steal Victims’ Microsoft Credentials

""

Digital attackers launched a phishing campaign where they impersonated the U.S. Department of Transportation (USDOT) to steal victims’ Microsoft credentials.

An Attack Full of Attempts at Legitimacy

Covered by ZDNet, the phishing campaign came just a few weeks after the U.S. Senate passed a $1 trillion infrastructure bill in mid-August.

Those responsible for this operation tried to use this timing to their advantage. They did so by first registering the domain transportationgov[.]net for the purpose of sending out their phishing emails. (The actual domain for USDOT is transportation.gov.) The attackers used Amazon to register the domain on August 16, which was just before the campaign began.

In the attack emails themselves, the malicious actors informed a recipient that USDOT was inviting them to submit a bid for a department project by interacting with a hyperlinked button that read, “CLICK HERE TO BID.”

In the event a recipient complied and clicked the button, they found themselves redirected to the website transportation.gov.bidprocure.secure.akjackpot[.]com. The attackers no doubt crafted this domain in such a way that the visitor would see “transportation.gov” and think that they were safe. But transportation.gov isn’t the base domain; akjackpot[.]com is. This location hasn’t had anything to do with USDOT since someone first registered it in 2019. On the contrary, the domain appears to have hosted the website for an online casino that catered to Malaysians for some unknown period.

It’s unclear whether those who first registered akjackpot[.]com were responsible for this attack or whether the phishers compromised the domain.

Either way, the attackers used the site to display the following instructions: “Click on the BID button and sign in with your email provider to connect to the network.” Assuming the visitor did, the campaign then presented them with a website that replicated the HTML and CSS stolen from USDOT’s official site. The website came with a “CLICK HERE TO BID” button that, if clicked, displayed a dialog box designed to steal the visitor’s Microsoft credentials.

When the visitor first attempted to submit their credentials, the campaign presented them with a reCAPTCHA challenge while it secretly exfiltrated their details to the phishers. It displayed a fake error message on the second attempt before redirecting the visitor to the real USDOT site, thus giving attackers some time to assume control of their victim’s account and/or to monetize the stolen credentials on the dark web.

Defending Against Email Attacks Impersonating USDOT

The campaign discussed above highlights the need for organizations to defend themselves against email attacks impersonating U.S. government entities like USDOT. One of the ways they can do that is by updating their security awareness training programs to take deceptive phishing attacks into account. For instance, they can focus on educating their workforce that official U.S. government websites end in .GOV or .MIL instead of .NET or .COM. They can also emphasize the reality that governmental organizations such as USDOT rarely send out “cold emails” where they directly invite recipients to submit bids for work. Finally, they can round off that education by discussing the suspicion that surrounds the registration of lookalike domains like transportation[.]net as well as highlighting why employees need to look out for situations that prompt them to view a document by signing into web services like Microsoft.

Simultaneously, organizations need to balance those human controls with multiple layers of technical controls. Those security measures include multi-factor authentication (MFA) and single sign on (SSO). They also include the use of an email security solution that’s capable of scanning incoming messages for campaign patterns and other threat indicators in real time, thus allowing legitimate correspondence to reach its intended destination.

Defend against impersonation email attacks using Zix | AppRiver.