A new phishing scam that involves threat actors impersonating the US Department of Labor (DoL) has been targeting US businesses and their employees.
The scam email asks prospective victims to enter their Microsoft 365 address or company email into a fake webpage.
Attacks like this are a grim reminder of the importance of equipping your staff with both antivirus software and the knowledge to spot ‘fake’ emails.
What Happens During the Phishing Attack?
This new type of phishing attack was discovered by cloud-based security platform Inky, who say they’ve been detecting scam emails impersonating the US DoL during “the back half” of 2021.
Concerningly, the vast majority of the phishing emails appeared as if they came from no-reply@dol[.]gov, which is the genuine address of the US DoL webpage.
Additionally, Inky also reports a small percentage came from the fake but similar-looking domains – dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.
This scam was able to utilize the actual web address for the US Department of Labor, which many unsuspecting victims will take as an indication that the email is legitimate.
The scam email – which uses a US DoL letterhead – asks recipients to bid on “ongoing government projects”. The email claims to have been sent from the “Chief Procurement Officer” at the department.
Attached to the email is a PDF document that includes information about the fake bid opportunity, as well as a malicious link. You’re then sent through to a fake DoL page and a ‘click here to bid’ button will take you to a page where you’re asked to enter your Microsoft 365 or business email address.
Regardless of whether you enter your details correctly, the page will ask you for them twice, ensuring your actual details are stolen.
Phishing Scam Techniques
The page victims are sent through looks identical to the real DoL page – because it is (but only visually). This is done by lifting the HTML code and CSS from the legitimate site, reproducing an exact copy.
However, another sophisticated tactic used in this scam is utilizing the legitimate DoL page. If a victim enters their credentials twice – which an Inky researcher did – it will redirect to a legitimate page, adding to the confusion over what has happened.
Inky also reveals that the email was able to obtain a DKIM pass – which is used to root out scam and spoof emails – by hijacking a legitimate mail server belonging to a non-profit organization.
However, brand new domains were also used in some cases – another tactic used to avoid detection by anti-phishing tools that use blacklisting processes.
What Can I do to Protect My Business and Employees?
In this day and age, your business has to be prepared for all kinds of threats – only some phishing emails are designed to steal credentials. Others may include links to pages full of malware or sites that attempt to encrypt your files and demand a ransom.
For this reason, you’ve got to equip employees with antivirus software as well as the knowledge to spot shady emails when they show up in their inboxes – both are just as vital to protecting your company’s data.
Having online learning courses on email phishing that have to be completed every so often is a good place to start. They’ll help employees identify the often subtle differences between legitimate emails and ones sent by threat actors, and familiarise themselves with common characteristics of phishing emails.
Remember, if unsure as to whether an email is legit, you can always open a new, separate channel of communication with the legitimate organization referenced within it to double check.
In this case, contact the DoL and ask them if this is an email that was sent from their servers. Similarly, if you think an email purporting to be from your bank looks suspicious, contact your bank and ask them about it.
Approach every email from an address that doesn’t belong to a work colleague or expected contact with extreme caution. Always ask yourself the question: could this email be a scam? If the answer is even a maybe, then again, treat it with extreme caution and – most of all – never, ever click on anything.