Under the current administration, the United States has experienced significant shifts in immigration and deportation policies. In fact, Homeland Security officials said that Immigration and Customs Enforcement (ICE) carried out more than 32,000 arrests in the first 50 days of the new administration.1 The deportation efforts have individuals, families, and even companies on edge.
For businesses navigating current regulations, things can be confusing. Countless organizations are racing around to ensure they are compliant with I-9 regulations, which verifies the identity and employment of individuals they have hired in the United States. Those who are non-compliant face hefty fines and risk losing any government contracts they might have. Companies that employ migrant workers contend with an even longer long list of processes and forms.
While all of this can make for a stressful work environment, for phishers, this level of confusion and angst make the perfect backdrop for a phishing attack.
During the first quarter, INKY detected a spike in phishing emails that impersonate the United States Department of Homeland Security (DHS). Certainly, this recent DHS phish takes advantage of current events - the inauguration of a new president with new rules and executive orders related to Immigration and non-U.S. workers. The chart below shows the DHS email spikes and accounts for the emails INKY detected as dangerous as well as the ones INKY deemed suspicious. Those found to be dangerous focused on a recent executive order on immigration, while those designated as suspicious were designed to entice recipients into believing they might have a stake in some nonexistent unclaimed funds.
Let’s take a closer look at the more dangerous DHS emails. In this particular campaign, all phishing emails had one of two subject lines:
SUBJECT: Security Case#RandomString
-OR-
SUBJECT: U.S. Department of Homeland Security Case#RandomString
As the image below shows, there were a lot of sender domains involved in this campaign, many with different county codes (.jp for Japan, .de for Germany, .ca for Canada, etc.). These domains appear to be hijacked because they are not new (over 5-10 years old) and when visited, it was clear that these sites had internal server errors or real content.
Bad actors commonly hijack domains to send phishing emails by exploiting vulnerabilities in domain security. A common practice is for attackers to rotate between hijacked domains so that they can evade blacklists and security monitoring. Here is a quick look at how they hijack domains:
Above you will see an example of an email used in the DHS impersonation campaign, which contained malicious links using newly created domains. These domains, designed to look like they could be related to DHS immigration, were all freshly created for this scam and registered with Namecheap, a domain registrar that (helpfully, for the phishers) accepts cryptocurrency as payment. These domains were created and used within the same day.
Let’s take a closer look at two malicious domains used in this phishing campaign.
When we visited the link associated with the first example, departmentimmigration[.]info, it actually redirected us to the official website of the U.S. Citizenship and Immigration Services which is a department within DHS. When we tried the second link, departmentimmigration[.]life, we were greeted with a 403 Forbidden message which means that the server understood the request but was refusing to fulfill it.
Because of this, we believe that this phishing campaign could be a targeted phishing technique often referred to as host-based cloaking or IP-targeted phishing. This type of attack ensures that only users from a specific hostname, IP range, or even device fingerprint see the malicious content. Everyone else—such as security researchers, automated scanners, or users outside the intended range—see benign content, such as the official U.S. Citizenship and Immigration Services page or the 403 Forbidden message we viewed.
Targeted phishing campaigns zero in on a particular audience. Let’s take a closer look at how the attacker was able to reach their audience in this phishing campaign.
Since one of the links redirected safely and the other returned a 403, it suggests that these sites are filtering visitors.
RECIPIENTS: Be leery of links and look closely at the domains. Official U.S. government domains usually end in .gov or .mil rather than .com or another suffix. In this case, it should be a red flag to the email recipients that none of these sender email address, domains, or links came from an address that ended in .gov or .mil.
SITE OWNERS: Protect your domain. It is important that we all play a responsible role in the management of our domains to prevent it from being hijacked. Best practices for this include:
Brand impersonation is a common practice in phishing scams. However, every year phishing becomes more complicated, and the threats are more difficult to recognize. While we all must stay educated and aware, keeping your company safe from phishing threats is not something you can do on your own. You need an expert on your side.
INKY's AI capabilities set it apart as a leader in email security. By leveraging email rendering and computer vision, an approximate matching engine, QR code detection, and the social graph, INKY provides comprehensive protection against the ever-evolving landscape of email phishing threats. These advanced features ensure that businesses can safeguard their communications and maintain trust in their email systems.
If you’re not working with INKY yet but are intrigued, please take a minute to set up a free demonstration to learn how INKY’s email security can keep you and your customers safe from phishing attacks, data breaches, ransomware, and more. Schedule a free demonstration or become a partner today.
----------------------
INKY is an award-winning, behavioral email security platform powered by artificial intelligence/Gen AI, machine learning, and computer vision. INKY blocks phishing threats, prevents data leaks, and coaches users to make smart decisions. Like a cybersecurity coach, INKY signals suspicious behaviors with interactive email banners that guide users to take safe action on any device or email client. IT teams don’t face the burden of filtering every email themselves or maintaining multiple systems. Through powerful technology and intuitive user engagement, INKY keeps phishers out for good. Learn why so many companies trust the security of their email to INKY. Request an online demonstration today.