Department of Labor Impersonated in Identity Theft Attack

December 21, 2020

We're nearly a year into the pandemic and scammers are still taking advantage of the financial hardship caused by COVID-19. In a recent attack, they impersonated a government entity and offered supposed relief funds to gain access to sensitive and identifying information.

Summary of Attack Target

  • Platform: Office 365
  • Bypassed Email Security: Proofpoint
  • Victims: Employees
  • Payload: Link
  • Technique: Impersonation

Overview of the Department of Labor Impersonation Attack

The attacker impersonates the New York Department of Labor by disguising their identity with the display name “noreply@labor.ny.gov” and displaying the New York State logo at the top of the email. However, a closer look reveals the true sender is “naij30@naija9icevibes.com”, a Panamanian-registered domain with no association to the New York state government.

The attacker claims that the government will administer a $600 relief fund to citizens who fill out the indicated form. The “click here” hypertext redirects the recipient to a webpage controlled by the attackers and mimics a New York state government page that asks for sensitive information such as name, address, date of birth, social security number, and driver’s license number.

NY department of labor phishing scam
A phishing email from the New York Department of Labor

The email contains an embedded link that should supposedly lead to a NY.GOV site, but actually points to "https://thesender[.]org/fjc4". After clicking on the hypertext, the link redirects to “bo2.cloudns.cl/NYU/cnf[.]php”, a phishing page posing as a legitimate government website. Although this landing page displays the official New York state government logo, the URL is not associated with the New York Department of Labor. Instead, it is a trap for users to release valuable information in the pursuit of their promised COVID-19 relief fund.

NY Department of Labor phishing scam landing page
The fake landing page from the Department of Labor phishing scam

The landing page itself asks for not only basic information like name and address but also social security number and driver's license number—both of which could be used for nefarious purposes. If the recipients fall victim to this attack, they would release extremely personal information to the scammers, which could ultimately lead to identity theft and other fraud.

Why This Identity Theft Attack was Effective

Because this email is offering $600 in relief funds to those who might be suffering from financial hardship, the recipient is incentivized to act quickly in order to claim this offer. Additionally, by impersonating an official government entity, the email creates an air of authority and may seem more legitimate to the recipient, motivating the recipient to engage without delay. Americans have already received pandemic stimulus checks from the government, so a recipient of this email may truly believe that the government is offering additional relief as the pandemic continues.

In an additional effort to appear legitimate, the attacker employs the official logos of the New York state government in both the email and the fake form, creating a credible impression of a legitimate government entity.

Abnormal Security detecting department of labor phishing scam
Abnormal Security detecting a Department of Labor phishing scam

Abnormal stopped this email due to a variety of factors, including the unusual sender, suspicious link, and the language that indicates that the attacker may be attempting to steal personal information. We've also seen a large uptick in the number of attacks revolving around the COVID-19 pandemic, making this more likely to be an attack. Combined together, these factors help determine that the attack is malicious and is thus stopped before reaching inboxes.

If you're interested in stopping identity theft and credential phishing for your organization, see a demo of the Abnormal Security platform today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 1500x1500 Modern Email Attacks Webinar Series L4 R2
Our Modern Email Attacks series has wrapped! Here are some of the biggest takeaways from Chris Krebs, Troy Hunt, and Theresa Payton.
Read More
B 1500x1500 Gartner Insights L1 R1
See our commitment to providing our customers with the best possible solution and support with these reviews from Gartner® Peer Insights™.
Read More
B 11 14 22 SPM Launch Blog Graphics
Security Posture Management gives organizations insight into cloud configuration risks and gaps across user and app privileges.
Read More
B 11 14 22 SPM Launch Blog 2
Cloud email platforms enable better collaboration, but they also create new entry points, making sensitive data more accessible to attackers.
Read More
B 1500x1500 Q3 Ransomeware L1 R2
This post explores the continuation of the sharp decline in ransomware attacks as well as a few other notable data points from Q3 2022.
Read More
B 10 05 22 Cloud Email Security Platform Essentials
Learn the 7 key capabilities a cloud email security platform should have in order to address and resolve common email security challenges.
Read More
B 11 07 22 Valimail
Discover the benefits of a modern, best-of-breed solution to email security with Abnormal Security and Valimail’s New Partnership.
Read More
B 11 07 22 Vision 23 Blog
Discover the latest trends in cybersecurity as we look toward the email threats of the future in partnership with SecureWorld.
Read More
B 1500x1500 Crimson Kingsnake L2 R1
Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.
Read More