U.S. DOT Used in Phishing Scam Aimed at Microsoft Credentials
Table of Contents
- By Dawna M. Roberts
- Published: Oct 27, 2021
- Last Updated: Mar 18, 2022
In August, hackers used the U.S. Department of Transportation as a ploy in a two-day phishing campaign designed to steal Microsoft credentials. The scam targeted firms that work closely with infrastructure and the DOT.
What Happened?
Inky cybersecurity researchers discovered a slew of phishing emails impersonating the Department of Transportation (DOT) inviting victims to bid on a portion of the $1 trillion government funds used for transportation infrastructure. In its report the company mentioned that these attacks occurred between August 16-18.
Because of the limited scope of this offer, many recipients ignored it, but the tactic did lure some victims in. Companies in industries such as engineering, energy, and architecture were the targets for this campaign. The email also included a big blue button with the words “Click Here to Bid” on it.
Threatpost explains that “The emails themselves are launched from a domain, transportationgov[.]net, that was registered by Amazon on Aug. 16, Kay said. The date of its creation – revealed by WHOIS – seems to signal that the site was set up specifically for the phishing campaign.”
The tip-off that this email came from a fake organization is that government websites use the (.gov) extension and not .net. However, anyone scanning it who did not verify the sender could be caught off guard and click without thinking.
How the Ruse Works
Once the user clicks the big blue button, they are taken to a website (transportation.gov.bidprocure.secure.akjackpot[.]com,) which is again a big red flag. The actual domain portion is akjackpot.com which was registered in 2019 and hosts some sort of gambling website.
Inky said that “Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the USDOT.”
Once they arrive at the site, bidders are asked to enter their email address, and then they are taken to a fake version of the actual DOT website, which uses the same logos, colors, and fonts. The illegitimate website even includes a warning to make it seem credible.
Eventually, targets are taken to what looks like a Microsoft login form (that is actually fake), and they are instructed to enter their credentials. Hackers tell victims to “Login with your email provider,” and then when the login fails, they are shown a RECAPTCHA challenge. However, the credentials are already stolen and stored in the bad actors’ database. When victims try to enter their credentials a second time, they are shown an error message and then redirected to the actual DOT website. Inky explains “an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence.”
Why Did the Phishing Campaign Work?
Although the culprits didn’t do anything spectacularly unique, the campaign worked because, as Threatpost explains, “By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential-harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods.”
The new domains the hackers created for this ruse are why it worked so well and why the emails evaded detection by spam blockers. Also, “Since they were brand new, the domains represented zero-day vulnerabilities; they had never been seen before and did not appear in threat intelligence feeds commonly referenced by legacy anti-phishing tools. Without a blemish, these sites did not look malicious.”
Microsoft 365 users who received the email, clicked the button, and followed the steps to log in should immediately change their passwords and inform Microsoft of the abuse. Additionally, as a warning to all email recipients, you should never click links in an email before verifying the sender and domain where it came from.