Phishing targeting Indiana Department of Workforce Development

by

Vivek Halappanavar

Security researchers at Shreshta IT, using our threat intelligence platform SDINET, have identified a phishing targeting Indiana Department of Workforce Development (DWD) automated self-service Unemployment Insurance system.

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service Unemployment Insurance system.

The Uplink Claimant Self-Service System enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims. 1

Phishing page impersonating DWD – gov[.]indianuplinks[.]online

Phishing website of Indiana Department of Workforce Development
Image – screenshot of phishing website gov[.]indianuplinks[.]online
Threat Indicators
  • The domain name was registered by PDR Ltd d/b/a PublicDomainRegistry.com
  • Domain name registration date – 12-01-2023
  • The website domain name resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The phishing website has links that redirect to the official website of the Indiana State Government (in.gov/dwd)

Phishing website – Links to ‘forget username’ and ‘forget password’ don’t work

Phishing website image showing login screen
Image – screenshot of the login section in the phishing webpage

  • The website prompts the user to enter the email address and password to ‘Sign in’ and ‘New User Registration’.
  • However, the ‘forget Username?’ and ‘forget Password?’ links are non-existent.

The phishing website accepts incorrect login credentials and redirects to a Two-factor authentication page

Image – screenshot of the login section in the phishing webpage

  • The website doesn’t show an error when the user enters incorrect login credentials
  • The user is redirected to a two-factor authentication page

The two-factor authentication page accepts incorrect access codes and redirects users to the phishing page

Image – Screenshot of gov[.]indianuplinks[.]online/auth[.]php page of the phishing website

  • The webpage falsely indicates to the user that an access code will be sent
  • When the user enters any (incorrect) access code, the webpage redirects the user back to the main phishing webpage
  • The ‘GetCode’ and ‘GoBack’ buttons reload to the same page again
Motive:

The motive of the attackers for creating the phishing website targeting the Indiana Department of Workforce Development is to harvest the Personally Identifiable Information (PII) of the user:

  • Complete name and address
  • Social Security Number.
  • Personal Identification (demographics such as date of birth, Etc.)
Vivek Halappanavar
Website | + posts