Brand New And Crafty Phishing Attack impersonates Dept. of Labor

New research from email security firm INKY shows a phishing attack impersonating the US Department of Labor targeting Office 365 users. The phishing attack, which has been ongoing and active for at least a couple of months, uses over ten different phishing sites impersonating the government agency. Furthermore, those who do submit bids for the project will then be taken to a fake ‘error’ website, in order to trick the victim into entering their credentials again. If the victim falls for both traps, they are re-directed to the actual DoL site, showing little evidence of the attack that has taken place.

I have two comments on this new threat. The first is from Saryu Nayyar, CEO and Founder of Gurucul:

“Spoofed domains are the foundation of phishing attacks and spoofing government agencies is extremely difficult for users to identify unless they consistently research the addresses on their own before clicking on any links. That is why these types of attacks are so successful in stealing credentials or establishing a foothold within an organization. This one is particularly clever in thwarting email security through hijacked legitimate servers and even eventually directing users to a legitimate DoL site after they’ve acquired what they wanted. The latter is a subtle, yet effective twist. However, advanced behavioral analysis and out-of-the-box machine learning (ML) models would have detected the abnormal communications to the servers and/or malicious, but unknown, domains. It is critical for organizations to invest beyond the current SIEM and XDR tools and look at more Next gen SIEMs and advanced SOC platforms with a multitude of analytics and true ML models that can not only identify the malicious activity quickly, but also elevate the risk as determines it is part of an attack campaign. The analytics also provided needed context for a targeted automated response, potentially stopping the attack earlier in the kill chain before credentials can be stolen.” 

The second is from Chris Olson, CEO of The Media Trust:

“Today’s malicious actors are vigilant in generating new domain names to skirt around blockers. By the time a list is updated to reflect the latest source of a phishing or malware attack, the operation shifts to a brand new site. This is why organizations can’t depend solely on CMPs, ad blockers or other traditional tools to protect their online visitors: there is no replacement for live scanning to detect malicious code.”

I’ve heard of cases where a spoofing attack has cost an organization hundreds of thousands of dollars. Thus making sure you have the means to stop these attacks before the start is key to making sure that you’re not bleeding cash because of a spoofing attack.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: