A couple of phishing schemes are currently targeting contractors who do business with two U.S. federal government agencies.

Anomali Labs uncovered a malicious server hosting the two schemes in late February 2019. The first scheme begins when users visit transportation[.]gov[.]bidsync[.]kela[.]pw, a suspicious-looking subdomain which contains the legitimate “transportation.gov” domain for the U.S. Department of Transportation. This site, in turns, redirects web browser users to a site located at hxxps://transportation[.]gov[.]qq-1[.]pw/V1/ that mimics the DOT eProcurement portal.

The page differs from the actual DOT eProcurement portal, however, in that it displays a pop-up window asking qualified contractors to submit bids for government work. This window includes a fake email address for Leonardo San Roman, who actually works for the DOT as the acting manager of its Office of Small and Disadvantaged Business Utilization’s Procurement Assistance Division.

Additionally, the illegitimate DOT eProcurement portal contains a slider box in the middle of the page announcing the Invitation to Bid. Finally, it includes a red box in the middle of the page titled “Click here to bid.” This feature redirects visitors to a fake login page designed to steal contractors’ usernames and passwords.

In their analysis, Anomali’s researchers found that the server hosting the phishing transportation site used a self-signed TLS certificate to add a sense of legitimacy in the eyes of unsuspecting government contractors. They also determined that the server resolves to a shared IP address 107.180.54[.]250, the hosting location for a few other phishing schemes. Among them is dol[.]gov[.]qq-1[.]pw, which leverages the Department of Labor’s “dol.gov” domain to target even more government contractors.

This second scheme functions similarly to the transportation (Read more...)