Abnormal Security researchers discovered attackers were impersonating the Texas Department of State Health Services to send fake Request for Quotations (RFQs) to vendors in a type of multi-layered email attack.
According to the researchers, the scammers attempted to receive merchandise worth hundreds of thousands of dollars and avoid payment. The attackers goal is to retrieve merchandise, and later profit from the resale of the stolen goods, say the researchers.
The researchers found that the email appears to be sent from a dshs.texas.gov domain, while the reply-to is from finance-nycgov.us. Finance-nycgov.usa is a domain that was registered just 2 months ago (07/06/2020) to a resident in Washington State and is an impersonation of nyc.gov, Abnormal Security found. In addition, the received-spf has a sinonordic.com domain, and the IP originates from a VPN service based out of Denver, CO. By using a VPN service, attackers are able to obfuscate their true location, identification, and cover their tracks.
The email addresses the sales department with a brief message expressing interest in purchasing 20 laptops and 200 external hard drives with specifications for each. The order form contains a phone number and a billing address for the items to be sent within the next 30 days.
Researchers note the attack is effective because it delivers sense of urgency, as the quote has an expiration date, prompting the recipient to take action by October 6, 2020.
Attacking governments is a rising trend for cybercriminals. In fact, Mimecast’s recent State of Email Security Report found:
- 54% of the public sector has seen an increase in impersonation fraud in the last year
- On average, public sector organizations have been made aware of a web or email spoofing attack using their domains or lookalike domains 6 times
Matthew Gardiner, Principal Security Strategist at Mimecast, says, “The use of email, the web, and internet to fraudulently spoof and exploit the online brands of well-known and trusted government and private entities is highly popular amongst cybercriminals, because it is relatively easy and inexpensive to setup and has a high probability of success. This attack technique is not isolated to massive internet brands anymore. As the article lays out there were multiple anomalies that can lead, relatively easily, to detection and blocking. But unfortunately many organizations, both on the brand owner side and the attack receiver side, do not apply the most up-to-date security controls to block these types of attacks. Without effective technical security controls, attacked organizations are left to the savvy and caution of their user base and the robustness of their business processes, which are also key parts of a security program. But clearly if the attack could be stopped before even being delivered that should always be the goal!”