Gerry Palmers Tech 09.20.2022 03:Sep AM EDT

Better, Expanded Phishing Attacks Lure Victims Into Fake Bidding for U.S. Government Projects

U.S. government contractors have been targeted by a wide-scale phishing campaign that was set to lure them into bids for supposed lucrative U.S. government projects but instead take them to phishing sites disguised as legitimate U.S. federal agency portals.

In a Cofense blog post, the phishing threat actors have widened their operations, with their sites most recently duplicating the portals of the U.S. Department of Transportation and Department of Commerce.

Enhanced Lures to Fool Users Into Providing Microsoft 365 Account Credentials in New Phishing Campaigns

With what was discovered, it seemed the operatives have improved in their phishing emails, with more compelling draws, consistent letter formatting with simple links to PDFs, and not carrying suspicious attachments.

These threat actors use PDFs to make recipients believe they are getting legit instructions on proceeding with the bidding process for the government agency without knowing they are getting phished.

While these instructions used to be too technical, the new phishing campaign has simplified instructions with legit-looking logos that are more prominent to see and have links to the phishing page.

Even metadata on the duplicate pages matches the ones on the original, genuine U.S. government pages, making victims further believe they have visited the real government portal. Even the URLs show consistent addresses throughout using the secure-looking HTTPS: at the beginning of the address.

Aside from using the .gov domain, the operatives made the URLs more legitimate in mobile browsers with longer domains that users can't see due to the limited space on their devices.

Phishing Campaign Tricks Users Into Providing Microsoft 365 Account Credentials

On the actual phishing page, the attackers attempt to fool visitors into inputting their Microsoft Office 365 account credentials. While doing so, they added a Captcha Challenge step to guarantee no bot inputs are logged.

These phishing operatives are expected to continue their activities for a long time, given that they have widened their target scope and improved their tactics.

As the emails, PDFs, and websites used in these phishing attempts are excellent duplicates of the original content from bid requests and federal bidding portals, it would be difficult to spot fraud.

Phishing Campaigns Expected to Improve, Innovate, Expand

These phishing campaigns are seen to further improve, innovate, and expand such believable phishing attempts, Cofense further said.

How to protect ourselves against these threats is to closely see through the details, such as the sending address and the landing URL, and visit the bidding portal using a search engine and not the provided links in the email.

Users can also search for these URLs online, and they will likely discover published indicators of compromise confirming these phishing campaigns' fraudulent nature.

These new campaigns have improved from previously discovered attacks, particularly the one reported by INKY Technology, wherein threat actors tricked people into using attached PDFs with instructions on undergoing the bidding process for the U.S. Department of Labor projects.