IT personnel working the trenches in the fight against
malicious emails know that financial transactions -- and the various documents
that support and accompany those transactions -- provide malicious actors
seemingly endless fodder for clever phishing attacks designed to separate
legitimate organizations from their money and reputations, as well as their
customers, clients, and partners.Indeed, fake invoices, RFQs, POs, ACH documents, and remittance
forms collectively constitute the "social engineering" backbone of
innumerable phishing campaigns. And hapless employees keep falling for them,
clicking through malicious links and opening malware-laden attachments -- often
with nary a thought to the potential consequences -- bringing malicious actors
and their sophisticated malware inside their employers' networks.Over the past few months we have observed the increasing use
of yet another type of transaction-based social engineering scheme designed to
hook companies dependent on government contracts: the invitation to bid. In
what follows, we'll take a look at a number of actual phishing emails reported
to us by customers using the Phish
Alert Button (PAB).
The Evolution of the Fake
Bid PhishFake bid invitations have been around for a while, to be
sure. In many respects, they are a natural variation of the fake RFQ, which
leverages a targeted organization's search for new business to dupe its
employees into opening the digital door to security breaches, costly down time,
and financial mayhem.Consider this confused, yet highly malicious phishing email,
which can't seem to decide whether it's a fake PO or fake RFQ:Despite the obvious mechanical stumbles in the email body,
this phish fairly represents the blizzard of fake RFQ emails currently hitting
users' inboxes. And it packs a mighty wallop in the attached .RAR file:That's right: a good old-fashioned executable backdoor
trojan. (And you thought those were going out of style!)From that humble fake RFQ, though, it's just a hop, skip,
and jump to this more polished fake "invitation to bid" on a
potentially lucrative "airport project" allegedly being run by a
well-known, upscale hotel chain.This phish is noticeably more polished than that fake RFQ,
though it, too, has its problems.More so than the phish we looked at earlier, however, this
fake "invitation to bid" relies heavily on the enticing promise of
more information lurking behind that malicious link -- even going so far as to
provide specific directions for completing and submitting the bid form.Alas, it is all a mirage. Here are the same instructions --
this time for an "improvements project" being run by a health care organization:Like the first phish, though, this bogus "invitation to
bid" remains short and to the point. And that is the most obvious
difference between these less ambitious "fake bid" phishes that we've
seen now for several years and the newer "fake bids" targeted at
government contractors.Going LargeGovernments tend to be large, sprawling organizations.
Apparently, the phishing emails targeting private contractors who bid for
government projects have to be just as big, just as byzantine, and just as
bureaucratic. Or so it would seem from the steady stream of fake
"invitation to bid" phishing emails we've been tracking over the past
4-6 months.Let's take a look.Here is the opening move in a routine phishing email
purporting to hail from the Department of Transportation. (We've also seen
similar emails spoofing the Department of Commerce.)The level of detail and the disciplined construction of the
email body is a noticeable improvement on the previous "fake bid"
email we looked at just above. For all we know, this email might be based on an
actual DOT email that the bad guys managed to get their hands on. Whatever the
case, this well-built phishing email is only the first step in long slog to our
final destination.The email urges recipients to click the "BID"
button in the attached PDF to access the bid portal on the DOT's website. Here
is the first page of what turns out to be an unusually long, four-page PDF:Notice that there is no BID button. This first page is
devoted entirely to selling the ruse with still more carefully constructed,
convincing detail. Users will actually have to scroll down to the second page
to find the BID button amidst a host of other detail.To say this kind of arrangement in a phishing email is
unusual would be an understatement. In fact, it's almost unheard of. In 99.9%
of other phishing emails we've encountered, the bad guys aim to get the money
link in front of users as quickly as possible. Often that link is in the email
body itself. When the bad guys do elect to relegate it to an attachment
(typically to reduce the chances that it is flagged by scanners), that
attachment is almost always a single page with the malicious link itself placed
front and center before the victim. Even in the rare two-page malicious
attachments that we occasionally encounter, the link is still on the first
page.There is a reason the bad guys are eager to get their money
links before users as quickly as possible. The more clicks you put between
users and their final destination -- whether it be an adware installation laden
with EULAs, privacy policies, disclaimers and optional crapware installs
or a malicious phishing email such as we have here -- the fewer the number of
users who will actually make it through to the end. Simply put, superfluous
clicks bleed impatient users.If nothing else, the execution of this phish speaks not only
to discipline of the malicious actors running the campaign, but to their own
confidence that they have understood their "audience" (for lack of a
better term) well enough to take this kind of risk. After all, what's a few
extra clicks when a big government contract is in the offering?But wait! We're not even close to being finished here. That
BID button in the attached PDF takes users to a professionally designed spoof
of the DOT's own website, which greets them with still another set of
instructions that must be closed to continue.Once that instructions box is closed, the magical BID button
finally comes into view.The BID button itself ends up opening a login box that -- at
least for anyone with a functioning brain -- ought to be a red flag.No, the DOT is likely not accepting AOL logins. And they
would be utter fools to accept punters from Yahoo!.Whatever else can be said of this phish, it must win some
kind of award for "most elaborate credentials phish" -- like, ever.
(We certainly haven't seen anything that comes close.)Variations on VariationsOver the course of the past few months, we have seen several
variations on this phish. For example, this fake "invitation to
bid"......takes users through a PDF (with the BID link on the first
page)......and on to an equally well-designed spoof of the website
for the Department of Commerce:Apparently, the bad guys thought better of continuing to
accept GoDaddy logins for some reason. (AOL and Yahoo! users are still good to
go, though.)Interestingly, some of the latest variants of this phish
have ditched the PDF attachment altogether -- combining elements of the old
email body and PDF into a single, jumbo-sized email that puts the BID
button before potential marks much more quickly.As we have stressed in earlier blog posts, the bad guys are
always learning and adapting. The fact that this campaign is still going after
six months, though, tells us that the malicious actors behind it must be
enjoying some level of success with it. And we've certainly seen evidence that
the bad guys were right to think they could get traction with this kind of
elaborately designed credentials phish.The DOT phish we laid out above, for example, generated
considerable interest -- even excitement -- amongst employees at the targeted organization.
The initial recipient in that organization wasted no time in pursuing it......and, in so doing, spreading that malicious email to
others in the organization:Malicious actors certainly don't lack for incentives to
pursue this kind of phishing campaign, as government contractors could very well
be sitting on plenty of attractive data, ranging from extensive contacts with
well-heeled clients and customers to logins and other special access to
government agencies. And then, of course, there is the money. For, in the end,
it's always
about the money.Put simply, a well-executed credentials phish against a
government contractor could yield a bonanza for malicious actors working this
kind of campaign. And the elaborate detail and disciplined construction of the
campaign certainly reflects that.ConclusionEven if you're not in the government contracting business,
this kind of phishing campaign ought to make you sit up in your chair. If
nothing else, it clearly demonstrates the lengths to which malicious actors
will go to wangle something as simple -- and potentially destructive -- as a
set of login credentials from your users and employees. The bad guys are just
that determined, just that disciplined.It should also serve as a warning that the days of
counseling users to spot phishing emails by looking for grammar, spelling, and
syntax errors are long gone. Your users won't help you keep the bad guys out by
becoming grammar
nazis. And that training session you did last year in the break room with a
box of doughnuts and a PowerPoint deck will forever be a distant, foggy memory.What your employees need is New-school
Security Awareness Training, which teaches them what to look for and
regularly tests their mettle against simulated phishing emails based on the
latest phishing campaigns actually out there "in
the wild." And the "wild" we speak of is not something scary
"out there," lurking just beyond the tall trees of your firewall.
It's in your users' inboxes right now, today, and each and every day.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Increasing concerns regarding the potential utilization of Chinese artificial intelligence platform DeepSeek for foreign government surveillance have prompted New York Gov. Kathy Hochul to ban the AI chatbot's usage across all state-issued devices just days after Texas Gov. Greg Abbott issued a similar prohibition for DeepSeek and Chinese-owned social media apps.
Such an extensive OpenAI account credential theft may have been achieved by exploiting vulnerabilities or securing admin credentials to infiltrate the auth0.openai.com subdomain, according to Malwarebytes researchers, who noted that confirmation of the leak's legitimacy would suggest emirking's access to ChatGPT conversations and queries.
Aside from delivering unencrypted device and mobile app registration information to Volcano Engine servers owned by TikTok parent firm ByteDance, DeepSeek's iOS app has also been leveraging an insecure symmetric encryption algorithm, a hardcoded encryption key, and old initialization vectors, an audit from NowSecure showed.