Phishing targeting Indiana Department of Workforce Development

Security researchers at Shreshta IT, using our threat intelligence platform SDINET, have identified a phishing targeting Indiana Department of Workforce Development (DWD) automated self-service Unemployment Insurance system.

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service Unemployment Insurance system.

The Uplink Claimant Self-Service System enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims. ¹

Phishing page impersonating DWD – gov[.]indianuplinks[.]online

Threat Indicators

• The domain name was registered by PDR Ltd d/b/a PublicDomainRegistry.com
• Domain name registration date – 12-01-2023
• The website domain name resolves to the IP address 198.12.125.130
• The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
• The phishing website has links that redirect to the official website of the Indiana State Government (in.gov/dwd)

Phishing website – Links to ‘forget username’ and ‘forget password’ don’t work

• The website prompts the user to enter the email address and password to ‘Sign in’ and ‘New User Registration’.
• However, the ‘forget Username?’ and ‘forget Password?’ links are non-existent.

The phishing website accepts incorrect login credentials and redirects to a Two-factor authentication page

Image – screenshot of the login section in the phishing webpage

• The website doesn’t show an error when the user enters incorrect login credentials
• The user is redirected to a two-factor authentication page

The two-factor authentication page accepts incorrect access codes and redirects users to the phishing page

Image – Screenshot of gov[.]indianuplinks[.]online/auth[.]php page of the phishing website

• The webpage falsely indicates to the user that an access code will be sent
• When the user enters any (incorrect) access code, the webpage redirects the user back to the main phishing webpage
• The ‘GetCode’ and ‘GoBack’ buttons reload to the same page again

Motive:

The motive of the attackers for creating the phishing website targeting the Indiana Department of Workforce Development is to harvest the Personally Identifiable Information (PII) of the user:

• Complete name and address
• Social Security Number.
• Personal Identification (demographics such as date of birth, Etc.)

+ posts

This author does not have any more posts.

Pranay Patil

Website | + posts

• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  Web shell – A primer
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  The rise of phishing attacks targeting Adobe users in India
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  HDFC Bank customers targeted by a sophisticated Phishing Scam
• Pranay Patil

  https://shreshtait.com/blog/author/pranay/

  Phishing Campaign targeting State Bank of India users