How Phishing Actors Impersonated the U.S. Department of Transportation

• A recent phishing campaign deployed some common but highly effective tricks to steal Microsoft account credentials.
• The actors impersonated the U.S. Department of Transportation and sent out emails to potential bidders.
• The phishing site was cloned from the real one and the email addresses relied on a fresh and “clean” domain.

Phishing actors are always on the look for fresh opportunities that arise from investment or financial support programs, and when the U.S. Senate passed the $1 trillion infrastructure bill in August, they were quick to adjust their hooks. As reported by INKY, between August 16 and 18, sophisticated actors sent at least 41 phishing emails to various companies and organizations, impersonating the U.S. Department of Transportation and inviting the recipient to bid for a hefty financial aid.

The emails were sent out to random entities, and most of them weren’t infrastructure contractors, but some were. The crooks set up a website on “transportationgov[.]net”, a pretty convincing and legit-looking domain, registering it on the same day as the start of the phishing campaign to avoid blacklisting trouble. This domain was used for sending out the emails.

The website where victims landed on if they click on the “bid” button that is embedded on the phishing email was “transportation.gov.bidprocure.secure.akjackpot[.]com”, a pretty far-fetched portmanteau that contains some reassuring words and relies on the totally irrelevant “akjackpot[.]com” domain that is probably the product of a hijack.

The appearance of the site that’s loaded there is basically the same as the real portal, as the actors simply copied HTML and CSS and pasted it on their site. They even left the official warning about how to verify actual U.S. government sites, which says that legit government portals use the “.gov” or “.mil” TLDs. As such, if any of the victims was to read the notice, the fraud would become apparent. Possibly, the actors thought the existence of the warning was bringing more benefits than risks to the phishing site, as nobody reads these carefully anyway.

The main goal of these sites is to grab Microsoft account credentials, and for this, the visitor is served a login box with the Microsoft logo. Once they enter their username and password in the boxes, they are then presented with a CAPTCHA, but their credentials have already been sent to the crooks. Then they go through a second attempt which always ends up in a fake error message. Potentially, this is to confirm that the details entered were correct.

The final move is to dump the victim on the real U.S. Department of Transportation site, leaving them with little clue about what has just happened. Considering that the whole campaign lasted for only two days, the actors were very careful not to risk getting identified and caught, but of course, at least INKY was monitoring them. It is not clarified if any of the 41 recipients got tricked and gave away their credentials to the actors, but the main takeaway here is that highly-targeted limited-time campaigns are always running.