This super ambitious phishing campaign impersonated the US Department of Labor

Hook on Keyboard
(Image credit: wk1003mike / Shutterstock)

A new phishing campaign has been making the rounds online that convincingly impersonates the US Department of Labor (DoL).

Discovered by the email security company Inky, the majority of phishing attempts used in the campaign spoof sender email addresses to make them appear as if they came from no-reply@dol[.]gov. 

While this is the DoL's real email address, a small subset of email addresses were spoofed to look as if they came from no-reply@dol[.]com instead though the attackers also used other newly created look-alike domains such as dol-gov[.]com, dol-gov[.]us and bids-dolgov[.]us.

Each of the phishing emails sent as part of the campaign invite recipients to submit bids for “ongoing government projects” and claimed to be from a senior DoL employee responsible for procurement. These emails also contained a three-page PDF attachment with well-crafted DoL branding elements to make them appear more legitimate.

Submitting a bid

Recipients interested in participating in the government projects advertised in this phishing campaign were instructed to click on the “BID” button on page two of the attached PDF to access the DoL's procurement portal. However, doing so took them to a malicious domain that impersonated the DoL.

Upon reaching the malicious domain, recipients are greeted with a set of fake instructions on how the DoL's bidding process works. The attackers behind this campaign are quite clever though as closing the instructions takes a user to an identical copy of the real DoL website as the HTML and CSS from the real site was copied and pasted into the phishing site.

Those who clicked on the red “Click here to bid” button were then presented with a credential harvesting form with instructions to sign in and bid using Microsoft Outlook or another business email service. When one of Inky's engineers tried to enter fake credentials, the site displayed a fake incorrect credentials error when in reality, these fake credentials had already been harvest by the attackers. The second time though, the engineer was redirected to the real DoL site to add authenticity to the campaign.

To avoid falling victim to this campaign and others like it, Inky points out that official US government domains typically end in .gov or .mil as opposed to .com or another top-level domain.

We've also featured the best endpoint protection software, best identity theft protection and the best firewall

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft authentication system spoofed via phishing attack
Someone checking their credit card details online.
Hackers use CAPTCHA scam in PDF files on Webflow CDN to get past security systems
Close up of a business person using a smartphone.
Watch out, malicious PDF files are being used again in phishing attacks
Fraude en ligne phishing
Google forced to step up phishing defenses following ‘most sophisticated attack’ it has ever seen
Paper craft illustration of a suspicious email that contains a snake
How to spot a phishing email
An iPhone sitting on a wooden table
Millions at risk as malicious PDF files designed to steal your data are flooding SMS inboxes - how to stay safe
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Amazon Echo Smart Speaker
Amazon is experimenting with renaming Echo speakers to Alexa speakers, and it's about time
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
iPhone 13 mini
The iPhone mini won't be returning, according to rumors – and you think that's a mistake