Cybersecurity in the News: US DOT Phishing Scam Targeting Contractors

Last week, a phishing scam was discovered in which attackers were pretending to be from the U.S. Department of Transportation to try and obtain Microsoft Office login credentials. INKY, a phishing email security company, detected over 40 instances of these imposters attempting to dupe companies who received these suspicious emails.

In August, the U.S. Senate passed a $1 trillion infrastructure bill; surely uncoincidentally, these scam emails started up right after that passing, targeting contractors who would work with the DOT on our country's various roads, bridges, airports, and waterways. These scammers tried to persuade targeted victims that they were selected as potential companies to help with some of the projects that this massive bill will pay for. The email encourages recipients to submit a bid for some of this money, in the hopes of trying to trick eager contractors.

As with most phishing attacks, these attackers tried to use things like a similar email domain in the sender address so that a person who is doing receiving the email may think by just glancing at the address that it would be legitimate. In this case, they used a newly created domain transportationgov.net, a false website made to look like the legitimate .gov domain. The email was straight forward, simply stating USDOT invites your business to submit bids for the department's commercial projects. followed by a huge, blue CLICK HERE TO BID button followed by Quotes will be submitted online in the Bid System after signing in. and then "signed" by "Victor Gordon" of the USDOT.

Though thankfully not all recipients clicked the link as most were not contractor who would be interested in such a bid, there were some who clicked the big blue button in the email. Those individuals were brought to a fake landing page that told the hopeful contractor to click on yet another bid button and sign in with their email in order to connect to the network to submit a bid. Once the victims followed these instructions, they were taken to what looked exactly like the legitimate USDOT home page which was actually the phishing version of the site which phishers created by copying HTML and CSS from the legitimate site in order to create. The cheeky attackers even included the warning from the real USDOT landing page to be wary of phishing sites as legitimate U.S. government sites will end in a .gov.

If the contractors trying to simply submit a bid did not make this connection and look at the different sites and email addresses they were receiving this information from, they were then directed to yet again submit their email login information to continue the process. This is different than creating a login with a site as many of us have had to do in the past, rather it is a login attempt where you have to login to your email provider directly, entering your email password. Once this information has been entered, the phishers already have it, but the facade continues and a ReCAPTCHA prompt is seen on screen. The user who tries to login and click all the boxes with a streetlight in them will then be prompted with the 'I'm not a robot' screen and then hit with an immediate error message. If they try one more time, another error message appears and then they are redirected to the real USDOT site. The malicious actors basically harvested the login credentials they cared to take and then dumped the poor, unsuspecting contractors onto the legitimate page for the real USDOT to deal with. This is where the phishing is caught and why we all know about it.

It is so disheartening and unfortunate to see legitimate business owners who want to take one work being tricked, particularly today, when so many people struggle with work as it is. This is why it is incredibly important to be aware of the telltale signs of a phishing attack and being vigilant at all times. Had recipients taken another look at the email address they received the initial email from, they would know clearly that this is not a legitimate offer, as attractive as it may seem. Additionally, basic knowledge of phishing attacks would remind us to not click on any links from senders who we have not encountered before and do not know are legitimate. If the sender appears to be a real person but you're unsure if you should click the link they sent, find another way to contact this person to verify that they are who they say they are; you can also seek out the legitimate page you are trying to find yourself rather than clicking the link -- had our contractors done that in this case, they would have quickly learned that this was an unfortunate phishing scam.

Image by evening_tao for Freepik.