Shortly after Congress took action on a $1 trillion infrastructure bill, hackers posing as U.S. Transportation Department officials offered fake project bid opportunities to seduce companies into handing over Microsoft credentials, researchers say.
The ploy included layers of attempts to disguise the malicious appeals as authentic government solicitations, and even eventually led the would-be victims back to the actual Department of Transportation website, according to a Wednesday blog post from INKY, an email security company.
“The basic pitch was, with a trillion dollars of government money flowing through the system, you, dear target, are being invited to bid for some of this bounty,” wrote Roger Kay, vice president of security strategy for the firm.
Never mind that the infrastructure legislation hasn’t fully worked its way through Congress yet, nor that few of the phishing campaign’s targets would even be eligible for the infrastructure projects that bill would fund. It’s the most recent instance of hackers seizing on the hottest topic on Capitol Hill, with another notable example coming in March when Cofense spotlighted phishing lures tied to the $1.9 trillion American Rescue Plan for COVID-19 relief.
INKY said the latest fraud effort illustrated some new twists on old techniques.
“By creating a new domain, exploiting current events, impersonating a known brand, and launching a credential harvesting operation, the phishers came up with an attack just different enough from known strikes to evade standard detection methods,” the blog post reads.
The 41 phishing emails INKY detected between Aug. 16-18, a week after the Senate passed the infrastructure bill out of its chamber. House Democratic leadership is setting an October goal for final action.
The unknown phishers’ initial emails came from a “transportationgov.net” domain that offers the air of an authentic government website, and includes a link to a big blue button reading “CLICK HERE TO BID.” Doing so leads to another site with “.gov”-eseque domain names soliciting e-mail sign-ins, then to a copy of the DOT website. Then comes the credential harvesting form with a Microsoft logo.
“In what may be an ironic twist, the phishers also copied and pasted in a real warning about how to verify actual U.S. government sites,” Kay said. “The victim might have noticed that something was up if they had realized that the phishing site domain ended in .com rather than .gov or .mil.”
After entering credentials, a victim would receive a fake error message and get redirected to the real DOT website.
“This last move, dumping victims on a real site is an elegant but perhaps unnecessary flourish that phishers often execute as the final step of their sequence,” according to the blog post. “In the con business, this moment is called the ‘blow-off’ and refers to the time after which the perpetrator has obtained what they were after, but before the mark realizes that they’ve been duped.”