Phishing attacks use the US Department of Labor to steal account passwords

Inky, an email security company, has seen a phishing campaign that tries to trick its victims into submitting bids for alleged government programs.

GrafVishenka, Getty Images/iStockPhotos

Many phishing attempts attempt to deceive people by pretending to be real brands or organizations. Phishing emails that appear to be from an official government agency are especially deceptive because they carry an air of authority. Inky detected a malicious campaign in the second half of 2021 that spoofed U.S. Department of Labor to extract account credentials of unsuspecting victim.

SEE: Social engineering: A cheatsheet for business professionals (free pdf) (TechRepublic)  

In a Blog post published WednesdayInky describes a series of phishing attempts in which the sender address of most emails seemed to be from [email protected] This is the real domain of the Department of Labor. Some emails were faked to appear from [email protected] which isn’t the real domain of the Department of Labor.

The emails claimed to be from a top Department of Labor employee who handles procurement. They invited recipients to submit bids on “ongoing government project”. Attached to the email was a PDF with all the branding and visuals that one would expect from the DoL. On the second page of the PDF, a BID button led people to what appeared like the DoL’s purchasing portal. But it was actually a malicious website impersonating that department.

Click here to bid button was the next step. Clicking that button will take you to a credential harvesting page with instructions to submit a bid via a Microsoft account, or any other business account. After entering their credentials, victims would be told they were wrong. The attacker actually had the credentials. To further deceive them, the attacker will redirect the person to the DoL website.

SEE: Password breaches: Why pop culture and passwords don’t mix (free PDF, TechRepublic)

Due to the use of several techniques, a phishing scam such as this can easily deceive unsuspecting victims.

First, they spoofed DoL’s security by copying and pasting HTML code and CSS code directly from the website. To avoid detection by security guards, they used a legitimate email server for the phishing emails. They also created new domains, which were untraceable to security guards and therefore could bypass security checks. The attackers also presented what appeared to be a government website, but then redirected victims towards a phishing site where their credentials could easily be stolen.

Inky has some tips to help you avoid this type of phishing scam.

  • Examine the address of the sender. U.S. government domains typically end with.gov/.mil, and not.com or any other suffix.
  • Emails claiming to come from the government should be avoided. The U.S. government doesn’t usually send out cold emails to solicit bids.
  • Each step of the process should be taken into consideration. In this instance, you won’t be asked for your account credentials or email to log in on another network.
  • Verify your SMTP server settings. Your SMTP servers shouldn’t be configured to forward and accept emails from nonlocal IP addresses to local mailboxes.

Also, please see