An interesting story laid out by “Abnormal Security” researchers describes how scammers managed to impersonate the State of Texas and send requests for quotation (RFQs) to vendors in order to receive free stuff. The hackers managed to bypass Proofpoint security and compromise the Office 365 platform to send out thousands of convincing emails that came from a “dshs.texas.gov” domain.
For the reply, they registered “finance-nycgov.us,” which is an obviously tricky domain meant to impersonate nyc.gov. The registration was done by using a VPN service, so there’s nothing that the IP can tell about the registrant.
The email content is brief and to the point, asking vendors to send their quotations for 20 “HP Envy” laptops and 200 “WD 4TB Elements” external hard drives. The specs of the laptop are top-range, of course, involving an Intel i7-1065G7, 12GB of RAM, and 512 GB SSD.
The crooks are also accepting substitutes like Apple laptops, Dell, or Lenovo products, so as not to fend off vendors who don’t sell HPs. The quote has an expiration date for October 6, 2020, which creates a sense of urgency to the salespersons who got the RFQ.
Besides the email address, which is spoofed, the actors are using the actual Texas Health and Human Services logos, so everything appears to be in place. Even an experienced sales department could have fallen for this, as the RFQ really looks legitimate.
If they reply to the actors, the conversation is taken to the “nyc.gov” domain so that the actual Texas State officials will never know about it. From there, the hackers may establish trust with the salesperson, convincing them to send either the full order or samples of it.
By the time the vendors would realize the fraud, the damage will have reached tens of thousands of USD, and there will be no way to figure out who was behind the impersonation attack. This is just an example involving the State of Texas, but there are thousands of emails of this kind circulating out there every day.
If you are a salesperson, do the following: instead of calling on the phone number given in the RFQ, find the number of the agency that supposedly sent the email and see if it matches. Then call that number and confirm the RFQ with the person responsible.