Beware of GOV themed phishing

While doing my daily routine check on my toolset, I noticed an interesting domain name that was built with the use of some very interesting keywords.

hxxps://energy.gov.procurement.bidnet.atacamalex.cl/auth/

It was detected by my tools a couple of hours before I noticed it, but it was still online. So let's see what was (or is, as this domain is still up and running) the content.

It looks very interesting already at first sight. As you can see, there is a clear message that this website was built to "bid" for working with the United States Government in its energy-related projects. And, of course, you need to "sign in" with your email provider credentials to gain access to the network. For people who just browsed to this page by accident, there is a warning note to scare off uninvited guests (well, I found the link, I'm invited then or not? :))

Let's have a look at the main page then.

To make this website look legit, the attacker used energy-related news and articles (including U.S-Poland Energy partnership deal). And, of course, a big red button to sign up for bidding.

Let's click it then!

As you can see, the website supports logins from Gmail, Outlook, Godaddy, Office365, Yahoo, something (?), and AOL. But I'm sure you can provide any email (they are most probably looking to phish company related email, or GOV agencies). Let's add some email then!

While testing I tried a .pl domain, but the website didn't accept it (.pl is apparently out of the attacker’s interest).

So I tried another one, using a randomly generated string with @yahoo.com as a domain (one of the listed providers they said they were supporting).

Et voilà! The system accepted it and assigned reference number saying that documents will be emailed shortly after I added my email.

Let's try to add another one then!

once again, I generated some random string and used it as email in @yahoo.com domain and .... guess what?

The same ref number! ;)

Once you provide your email and click "close" button, the page redirects you to the legitimate energy.gov website just to avoid any suspicion.

What happened there? First they are looking for companies who want to bid to work with U.S Department of Energy (link distribution is unknown for me, but if you are working closely with US Gov, then watch out for any suspicious emails with this theme), then asking for email and password to YOUR email account - what could go wrong there?

Once you provide your email account details, they can access your emails, and if you are interested in working with US Dept. of Energy, then you most probably have something in your mailbox that’s interesting for the attacker.

When you take a close look at the domain, you will see that it's actually a hostname with a bunch of interesting keywords in atacamalex.cl domain.

And it looks like atacamalex.cl is actually a law firm based in Chile.

Are they somehow involved? Most probably they don't even know that they domain was compromised. IP address on which they are hosting the domain (and website) is most probably a shared hosting that was compromised (or their account was compromised).

More info on hosted websites can be found on VT:

hxxps://www.virustotal.com/gui/ip-address/99.198.101.234/relations

This IP lists also another domain that was used in phishing campaigns, and they are health.gov and hhs.gov themed.

hhs.gov.procurement.auth.atacamalex.cl
health.gov.bidnet.procurement.server.atacamalex.cl

The phishing pages I looked at in this article was reported, and should be taken down soon. Until then, if you want to play with it, it's still online.

On to the next one!