State of Texas Impersonation

In this attack, attackers impersonate a Texas Government Request for Quotation in order to receive free goods.

Quick Summary of Attack Target

Platform: Office 365
Email Security Bypassed: Proofpoint
Mailboxes: 15,000 to 50,000
Payload: Attachment
Technique: Impersonation

What was the attack?

Setup: Impersonating government agencies to send fake RFQs to vendors is a type of multi-layered email attack. In this attack, scammers attempt to receive merchandise worth hundreds of thousands of dollars and avoid payment. Although this purchase order contains a government billing address,  the government entities will not receive payment from the fraudulent vendor. The attackers goal is to retrieve merchandise, and later profit from the resale of the stolen goods. 

Email Attack: The email impersonates the Texas Department of State Health Services. The email appears to be sent from a dshs.texas.gov domain,while the reply-to is from finance-nycgov.us. Finance-nycgov.usa  is a domain that was registered just 2 months ago (07/06/2020) to a resident in Washington State and is an impersonation of nyc.gov. In addition, the received-spf has a sinonordic.com domain, and the IP originates from a VPN service based out of Denver, CO. By using a VPN service, attackers are able to obfuscate their true location, identification, and cover their tracks. 

Payload: The email addresses the sales department with a brief message expressing interest in purchasing 20 laptops and 200 external hard drives with specifications for each. The order form contains a phone number and a billing address for the items to be sent within the next 30 days. The attached PDF is disguised as a Request for Quotation (RFQ), but is actually a scam for fake solicitation of goods. There is no ship to address (listed as TBD), and the phone number provided is not associated with the bill to address, although the area code is in Texas and does match the area code for the department of state health services phone number. This is a social engineering tactic aimed to engage recipients into requesting the ship to address, either by email or phone. 

Result: This attack was sent to the sales department aimed to garner engagement from the recipient. If unsuspecting salespersons were to respond to this initial request, attackers could establish a line of communication and eventually follow-through with the requested goods. Victims would have to account for a financial loss worth  thousands to tens of thousands of dollars in stolen goods.

Why is this attack effective?

Urgency: The quote has an expiration date, prompting the recipient to take action by October 6, 2020. 

Spoofed Email and Vendor Impersonation: The attacker sends an email that appears to be from the Texas government and even contains the Texas Health and Human Services Logo to the RFQ form to appear legitimate. The email domain the message was sent from was recently registered, and the registrant information is not consistent with the impersonated party. 

Suspicious Reply-To Email: In the first portion of the attack, the domain is hosted on “finance-nycgov.us,” in order to mimic a .gov domain.This is done to move the conversation to a mailbox the attacker controls.