Department of Labor Impersonated in Identity Theft Attack

December 21, 2020

We're nearly a year into the pandemic and scammers are still taking advantage of the financial hardship caused by COVID-19. In a recent attack, they impersonated a government entity and offered supposed relief funds to gain access to sensitive and identifying information.

Summary of Attack Target

  • Platform: Office 365
  • Bypassed Email Security: Proofpoint
  • Victims: Employees
  • Payload: Link
  • Technique: Impersonation

Overview of the Department of Labor Impersonation Attack

The attacker impersonates the New York Department of Labor by disguising their identity with the display name “noreply@labor.ny.gov” and displaying the New York State logo at the top of the email. However, a closer look reveals the true sender is “naij30@naija9icevibes.com”, a Panamanian-registered domain with no association to the New York state government.

The attacker claims that the government will administer a $600 relief fund to citizens who fill out the indicated form. The “click here” hypertext redirects the recipient to a webpage controlled by the attackers and mimics a New York state government page that asks for sensitive information such as name, address, date of birth, social security number, and driver’s license number.

NY department of labor phishing scam
A phishing email from the New York Department of Labor

The email contains an embedded link that should supposedly lead to a NY.GOV site, but actually points to "https://thesender[.]org/fjc4". After clicking on the hypertext, the link redirects to “bo2.cloudns.cl/NYU/cnf[.]php”, a phishing page posing as a legitimate government website. Although this landing page displays the official New York state government logo, the URL is not associated with the New York Department of Labor. Instead, it is a trap for users to release valuable information in the pursuit of their promised COVID-19 relief fund.

NY Department of Labor phishing scam landing page
The fake landing page from the Department of Labor phishing scam

The landing page itself asks for not only basic information like name and address but also social security number and driver's license number—both of which could be used for nefarious purposes. If the recipients fall victim to this attack, they would release extremely personal information to the scammers, which could ultimately lead to identity theft and other fraud.

Why This Identity Theft Attack was Effective

Because this email is offering $600 in relief funds to those who might be suffering from financial hardship, the recipient is incentivized to act quickly in order to claim this offer. Additionally, by impersonating an official government entity, the email creates an air of authority and may seem more legitimate to the recipient, motivating the recipient to engage without delay. Americans have already received pandemic stimulus checks from the government, so a recipient of this email may truly believe that the government is offering additional relief as the pandemic continues.

In an additional effort to appear legitimate, the attacker employs the official logos of the New York state government in both the email and the fake form, creating a credible impression of a legitimate government entity.

Abnormal Security detecting department of labor phishing scam
Abnormal Security detecting a Department of Labor phishing scam

Abnormal stopped this email due to a variety of factors, including the unusual sender, suspicious link, and the language that indicates that the attacker may be attempting to steal personal information. We've also seen a large uptick in the number of attacks revolving around the COVID-19 pandemic, making this more likely to be an attack. Combined together, these factors help determine that the attack is malicious and is thus stopped before reaching inboxes.

If you're interested in stopping identity theft and credential phishing for your organization, see a demo of the Abnormal Security platform today.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 06 21 22 Threat Intel blog
Executives are no longer the go-to impersonated party in business email compromise (BEC) attacks. Now, threat actors are opting to impersonate vendors instead.
Read More
B 06 7 22 Disentangling ML Pipelines Blog
Learn how explicitly modeling dependencies in a machine learning pipeline can vastly reduce its complexity and make it behave like a tower of Legos: easy to change, and hard to break.
Read More
B 04 07 22 SEG
As enterprises across the world struggle to stop modern email attacks, it begs the question: how are these attacks evading traditional solutions like SEGs?
Read More
Enhanced Remediation Blog Cover
The most effective way to manage spam and graymail is to leverage a cloud-native, API-based architecture to understand identity, behavior, and content patterns.
Read More
B 05 16 22 VP of Recruiting
We are thrilled to announce the addition of Mary Price, our new Vice President of Talent. Mary will support our continued investment in the next generation of talent here at Abnormal.
Read More
B 06 01 22 Stripe Phishing
In this sophisticated credential phishing attack, the threat actor created a duplicate version of Stripe’s entire website.
Read More
B Podcast Engineering9
In episode 9 of Abnormal Engineering Stories, Dan sits down with Mukund Narasimhan to discuss his perspective on productionizing machine learning.
Read More
B 05 31 22 RSA Conference
Attending RSA Conference 2022? So is Abnormal! We’d love to see you at the event.
Read More
B 05 27 22 Active Ransomware Groups
Here’s an in-depth analysis of the 62 most prominent ransomware groups and their activities since January 2020.
Read More
B 05 24 22 ESI Season 1 Recap Blog
The first season of Enterprise Software Innovators (ESI) has come to a close. While the ESI team is hard at work on season two, here’s a recap of some season one highlights.
Read More
B 05 13 22 Hiring Experience
Abnormal Security is committed to offering an exceptional experience for candidates and employees. Hear about our recruiting and onboarding firsthand from three Abnormal employees.
Read More
B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More