A continuous phishing attacks that targets U.S. government contractors has grown in scope and is now pushing more effective lures and documents.

These phishing emails entice victims by offering them the chance to submit bids for lucrative government projects. This leads them to phishing web pages that are imitations of authentic federal agency portals.

The threat actors are using attached PDFs that contain instructions on how to complete the bidding procedure for projects funded by the US Department of Labor. This is the same operation that INKY wrote about in January 2022.

The operators have increased their target list and are now impersonating the Department of Transportation and the Department of Commerce, according to a report by Cofense.

More lures are now being utilized in the messages, phishing websites behave better, and artefacts that indicated fraud in earlier iterations of the attached PDFs have been removed.

Phishing attacks
The various lures used for each case of spoofed department (Cofense)

Polishing attacks a high-quality campaign

The phishing actors behind this effort carefully revised their methods in order to improve upon what they had already accomplished.

Cofense notes that starting with phishing attacks emails, they now have more standardized formatting. And larger logos, and prefer to link to the PDF rather than attach the actual file.

Phishing campaign
The first and second pages of new PDFs used in the campaign (Cofense)

The PDF files are used to feature technical material and thorough instructions on how to place a bid. They are now more streamlined and compact, with more pronounced branding and a link to the phishing website.

Additionally, the PDFs had the same signer before, “edward ambakederemo,” but now the documents’ metadata corresponds to a fictitious department. For instance, “WisDOT” is used to sign lures purportedly delivered by the Wisconsin Department of Transportation.

By implementing HTTPS for all web pages inside the same domain, the phishing websites have also seen targeted improvements.

To make them seem authentic when accessed from mobile browsers that can’t show the entire length in the URL bar. Threat actors now use employ very lengthy domains like “transportation[.]gov[.]bidprocure[.]secure[.]akjackpot[.]com. In addition to the “.gov” sites that previously served the campaign.

Threat actors have now added a Captcha Challenge step to the phishing page that aims to fool users into entering their Microsoft Office 365 account credentials in order to prevent the recording of bot inputs.


The campaign’s operatives are currently simultaneously broadening their target audience and honing their lures, suggesting that they won’t be stopping anytime soon.

It’s challenging to spot the symptoms of fraud given the emails, PDFs, and websites utilized in this phishing campaign. These are essentially replicas of the original content from requests for bids and state procurement portals.

The threat actors behind these operations are expected to keep innovating and improving upon their already convincing tactics. According to Cofense, given the improvements exhibited in every step of the phishing chain.

If you’re not convinced, try looking up the URLs online because many of these persistent efforts have released signs of compromise verifying their fraudulence.