Threat Research

Fresh Phish: Phishers Lure Victims with Fake Invites to Bid on Nonexistent Federal Projects

Securonix

INKY uncovered a large phishing campaign impersonating the U.S. Department of Labor, using spoofed senders and look-alike domains to target Google Workspace and Microsoft 365 users with fake bid invitations for nonexistent federal projects. Victims were led to three-page PDFs containing malicious links that redirected to credential-harvesting sites presented as DoL portals. #opendolbid.us #albacasino

Keypoints

  • DoL impersonation phishing campaign detected in late 2021, expanding to hundreds of attempts.
  • Attack vector relies on spoofed DoL senders and newly created look-alike domains to bypass trust.
  • Three-page PDF attachments contain DoL branding and deliver malicious links to credential-harvesting sites.
  • Victims are invited to bid on “ongoing government projects” via a fake procurement portal.
  • Phishers abused legitimate mail servers and used newly registered domains to pass basic email authentication (SPF, DKIM, DMARC).
  • The cloned DoL site mirrors the real site, with a red “Click here to bid” button leading to credential harvesting, including fake error messages and redirects to the real DoL site.
  • Key indicators include a set of spoofed domains and an IP linked to malicious infrastructure (185.105.7.219; albacasino.com).

MITRE Techniques

  • [T1566.001] Phishing – Attachment-based phishing using three-page PDFs with malicious links. “Each phishing email had a three-page PDF attachment …”
  • [T1566.002] Phishing – Spearphishing Link via a malicious link behind a PDF’s button. “Recipients were instructed to click the “BID” button on Page 2 to access DoL’s procurement portal. Behind the button was a malicious link.”
  • [T1036] Masquerading – Impersonation by copying DoL branding and site HTML/CSS to deceive victims. “Identical copy of the real DoL site (except for red “Click here to bid” button) … the phishers had simply copied HTML and CSS from the real DoL site and pasted it into the phishing site.”
  • [T1583] Acquire Infrastructure – Use of newly created domains and abused mail servers to deliver phishing content while bypassing authentication. “Newly created domains are a black-hat favorite because they are able to pass standard email authentication (SPF, DKIM, and DMARC).”

Indicators of Compromise

  • [Domain] Phishing/hosting domains – opendolbid[.]us, usdol-gov[.]com, and 10 more domains
  • [IP Address] Network indicators observed in email headers – 185.105.7.219
  • [Domain] Associated infrastructure domain linked to IP – albacasino[.]com

Read more: https://www.inky.com/blog/fresh-phish-phishers-lure-victims-with-fake-invites-to-bid-on-nonexistent-federal-projects