Phishing targeting Indiana Department of Workforce Development

by

Vivek Halappanavar

Threat researchers at Shreshta, have identified a phishing campaign targeting Indiana Department of Workforce Development (DWD) automated self-service Unemployment Insurance system.

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service Unemployment Insurance system.

The Uplink Claimant Self-Service System enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims. 1

Phishing page impersonating DWD – gov[.]indianuplinks[.]online

Phishing website of Indiana Department of Workforce Development
Image – screenshot of phishing website gov[.]indianuplinks[.]online
Threat Indicators
  • The domain name was registered by PDR Ltd d/b/a PublicDomainRegistry.com
  • Domain name registration date – 12-01-2023
  • The website domain name resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The phishing website has links that redirect to the official website of the Indiana State Government (in.gov/dwd)

Phishing website – Links to ‘forget username’ and ‘forget password’ don’t work

Phishing website image of Indiana Department of Workforce Development
Image – screenshot of the login section in the phishing webpage

  • The website prompts the user to enter the email address and password to ‘Sign in’ and ‘New User Registration’.
  • However, the ‘forget Username?’ and ‘forget Password?’ links are non-existent.

The phishing website accepts incorrect login credentials and redirects to a Two-factor authentication page

Phishing website login of Indiana Department of Workforce Development

Image – screenshot of the login section in the phishing webpage

  • The website doesn’t show an error when the user enters incorrect login credentials
  • The user is redirected to a two-factor authentication page

The two-factor authentication page accepts incorrect access codes and redirects users to the phishing page

Phishing website of of Indiana Department of Workforce Development prompting the user for two factor authentication

Image – Screenshot of gov[.]indianuplinks[.]online/auth[.]php page of the phishing website

  • The webpage falsely indicates to the user that an access code will be sent
  • When the user enters any (incorrect) access code, the webpage redirects the user back to the main phishing webpage
  • The ‘GetCode’ and ‘GoBack’ buttons reload to the same page again
Motive:

The motive of the attackers for creating the phishing website targeting the Indiana Department of Workforce Development is to harvest the Personally Identifiable Information (PII) of the user:

  • Complete name and address
  • Social Security Number.
  • Personal Identification (demographics such as date of birth, Etc.)
Website |  + posts