Cyber criminals have been luring people into handing over their personal details under the pretence of bidding for U.S. Department of Transportation contracts.
The phishing campaign, which targeted organisations in the engineering, energy and architecture sectors, told recipients that the government had invited them to submit a bid for a department project.
A link at the bottom of the message instructed them to “Click Here to Bid”, where they were asked to provide their Microsoft 365 login details.
According to researchers at the email security provider INKY, the scammers sent 41 emails from 16–18 August. It’s not known how many people fell victim.
How the scam works
This attack didn’t use any novel techniques, but it was carefully planned – and more importantly, it was well timed.
On 10 August, the US Senate passed a $1 trillion infrastructure bill, half of which will be dedicated to transportation, broadband and utilities. Less than a week later, the attackers created the domain transportationgov.net, and sent their first batch of messages.
The domain uses ‘gov’ in the second-level domain, which can easily be mistaken for a genuine message from a ‘.gov’ email address.
Meanwhile, the message is well constructed and there are no clear typos, which would otherwise be signs of a scam.
The combination of opportunity, with the message coinciding with news that the Department of Transportation will be leading projects, and an authentic-looking email makes this scam particularly dangerous.
Anyone who follows the link is directed to another site that uses a similarly realistic email domain, where they are asked to click a “Bid” button and sign in with their email provider.
This is the point at which you should expect recipients to spot something suspicious. Although the domain begins with “transportation.gov”, it ends with “akjackpot.com”, which is clearly unrelated to the U.S. Department of Transportation.
INKY’s vice president of security strategy, Roger Kay, noted that the site was registered in 2019 and “hosts what may or may not be an online casino that appears to cater to Malaysians”.
He added: “Either the site was hijacked, or the site owners are themselves the phishers who used it to impersonate the [U.S. Department of Transportation].”
Once the victim reaches the fake government website, they are presented with a credential-harvesting form that imitates Microsoft 365’s login box.
If they provide their details, they receive a ReCAPTCHA challenge, which is often used by legitimate sites as an extra security mechanism.
However, in this case, the attackers already have the victim’s information and are using the ReCAPTCHA to cover their tracks. The recipient is told that something has gone wrong, at which point they are directed to the real U.S. Department of Transportation website.
If at that point they suspect something is amiss, they may doubt themselves because they are on the genuine government site.
Preventing phishing attacks
Millions of phishing emails are sent every day. Although they aren’t always as well crafted and carefully planned as this, they still wreak havoc.
Verizon’s 2021 Data Breach Investigations Report found that phishing was the most common form of cyber attack last year, with 43% of breaches involving scam emails.
It’s therefore essential that you protect your organisation and train employees on how to spot and respond to phishing emails.
Our Phishing Staff Awareness Training Programme contains all the guidance your team needs, ensuring that your last line of defence is as strong as possible.
The 45-minute course explains how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.
Our content is updated quarterly to include current examples of successful attacks and the latest trends that criminals use.