By Philip McCarty
July 12, 2022 - On July 5 the Missouri Department of Labor and Industrial Relations posted this warning to their website:
The Missouri Department of Labor and Industrial Relations is warning individuals about potential messaging scams involving Missouri’s unemployment program. The department is advising everyone be wary of suspicious email or text messages, as well as any links they contain. Text messages from the department will never include links.
The scams often involve email or text messages attempting to acquire personal information from individuals to gain access to funds or commit identity theft. Phishing messages often ask for personal information such as social security number, birthdate, PIN number, or other data. These messages may appear to have been sent by the Missouri Department of Labor, the Division of Employment Security, a banking institution or other entity.
Anyone unsure if a message about Missouri’s unemployment program is legitimate is encouraged to contact the department for verification. Individuals may submit a request online or speak to a representative by calling 800-320-2519.
This appears to be a variant on the phishing scam involving the US Department of Labor (DoL) that surfaced in late 2021. This scam targets businesses by asking them to bid on ongoing government projects. According to the Techco website the scam email asks prospective victims to enter their Microsoft 365 address or company email into a fake webpage. The scammers use realistic looking DoL letterhead, say that the message is from the “Chief Procurement Officer”, and have copied the DoL website, so when a person is on it they cannot tell the difference.
The Techco website describes it this way:
Attached to the email is a PDF document that includes information about the fake bid opportunity, as well as a malicious link. You’re then sent through to a fake DoL page and a ‘click here to bid’ button will take you to a page where you’re asked to enter your Microsoft 365 or business email address. Regardless of whether you enter your details correctly, the page will ask you for them twice, ensuring your actual details are stolen.
The page victims are sent through looks identical to the real DoL page – because it is (but only visually). This is done by lifting the HTML code and CSS from the legitimate site, reproducing an exact copy.
However, another sophisticated tactic used in this scam is utilizing the legitimate DoL page. If a victim enters their credentials twice – which an Inky researcher did – it will redirect to a legitimate page, adding to the confusion over what has happened.
Inky also reveals that the email was able to obtain a DKIM pass – which is used to root out scam and spoof emails – by hijacking a legitimate mail server belonging to a non-profit organization. However, brand new domains were also used in some cases – another tactic used to avoid detection by anti-phishing tools that use blacklisting processes.
The real problem with this attack is that the domains used by the phishers for their emails appeared as if they came from no-reply@dol[.]gov, which is the genuine address of the US DoL webpage. Additionally, Inky also reports a small percentage came from the fake but similar-looking domains – dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.
Medium.com also reports that the emails contain a 3 page .pdf file to give the email a more legitimate look and feel. “On page two, there is a “BID” button that you’re instructed to click on to gain access to DoL’s procedure portal. However, the button is a fake and contains a malicious link, but here’s the rub, it’s not always sending you to the same domain, which is extremely frustrating for security firms as it’s taking this attack to new levels of complexity.” Clicking the button sends you to the fake Dol site that looks absolutely real due to the phishers copying the site.
What can you do?
Medium.com has these suggestions:
Sadly, almost every article I’ve read about this and other phishing scams tells you to be diligent and be careful what you click on. This frustrates me as it’s nothing more than milk toast advice. If you cannot tell the difference between the real and fake site, then this is useless at best.
Here are the top 3 suggestions, in order
1. Enable 2 factor authentication (2FA), this means even if you give up your credentials, they won’t be able to get into your account without the code sent to your phone, which generally changes every 30–60 seconds.
2. Make sure your IT provider is keeping up on best practices including backing up emails as it’s very common for these scammers to delete your mailbox after they’ve taken everything of value (which might be different per each different attack).
3. Education: Have your IT provider set up your system with fake phishing email programs to test your people. Basically if they click on any of the fake phishing emails (not to be confused with the fake real emails, aka phishing), they will automatically be enrolled in online phishing training.
The more we rely on computers to accomplish our work, the more scammers will try to take advantage of it. Be vigilant.
Comments