Phishing website targeting Indiana Department of Workforce Development

Phishing campaign targeting Indiana Department of Workforce Development’s (DWD) Uplink

On the 21st of January, security researchers at Shreshta, had uncovered a phishing website impersonating the Indiana Department of Workforce Uplink website. During further investigations, we discovered a more extensive phishing campaign.

Get free access to Newly registered domain names (NRD) community feeds

Newly registered domain names or recently registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.

By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs.

Get no-cost access to our newly registered domain names(NRD) community feeds.

Download the free NRD community feeds

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service unemployment Insurance system.

The Uplink claimant self-service system enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims.1

Image – screenshot of www[.]gov[.]indianauplink[.]site phishing website
The "forget username" and "forget password" links on the phishing website www.gov.indianauplink.site are non-functional
Image – screenshot of www[.]gov[.]indianauplink[.]site phishing websites login section
The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page
Image – screenshot of the login section in the phishing webpage
The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code
Image – Screenshot of www[.]gov[.]indianauplink[.]site/auth.php page of the phishing website
Threat Indicators
  • The domain name www[.]gov[.]indianauplink[.]site was registered by PDR Ltd. d/b/a PublicDomainRegistry.com    
  • Domain name registration date – 08-01-2023
  • The website domain name resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The website accepts any login credentials, regardless of their legitimacy.
  • The phishing website has links that redirect to the official website of the Indiana State Government1
Phishing website #2 - www[.]uplink[.]gov-in[.]in impersonating DWD
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing website
The "forget username" and "forget password" links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing websites login section
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
Image – screenshot of the login section in the phishing webpage
The Two-factor authentication page on www.uplink.gov-in.in does not accept false access code
Image – Screenshot of https://www[.]uplink[.]gov-in[.]in/CSSLogon.html/Logon2FA page of the phishing websites
Threat Indicators
  • The domain name www[.]uplink[.]gov-in[.]in was registered by Own Web Solution Pvt. Ltd.
  • Domain name registration date – 11-01-2023
  • The domain name www[.]uplink[.]gov-in[.]in resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The phishing website has links that redirect to the official website of the Indiana State Government1
  • The phishing website accepts false login details randomly and redirects the user to the two-factor authentication page
  • The phishing website www[.]uplink[.]gov-in[.]in is an improvement over the prior one www.gov.indianauplink.site, utilising error displays to convince the user they are accessing a legitimate site

Motive

The motive of the attackers is to harvest the Personally Identifiable Information (PII) of the user:

  • Complete name and address
  • Social Security Number
  • Personal Identification (demographics such as date of birth, Etc.)

Indicators of Compromise

indianuplinks[.]online
www.gov[.]indianuplinks[.]online
gov[.]indianuplinks[.]online
govs[.]indianuplinks[.]online
gov-in[.]in
up.ink.gov-in[.]in
upiink.gov-in[.]in
www.upiink.gov-in[.]in
up.lnk.gov-in[.]in
www.up.ink.gov-in[.]in
www.uplink.gov-in[.]in
uplnk.gov-in[.]in
uplink.gov-in[.]in
www.uplnk.gov-in[.]in
www.up.lnk.gov-in[.]in
www.upink.gov-in[.]in
upink.gov-in[.]in
uplink-gov-ui[.]in
mail.uplink-gov-ui[.]in
govs.indianauplink[.]site
www.gov.indianauplink[.]site
mail.indianauplink[.]site
indianauplink[.]site
www.govs.indianauplink[.]site
gov.indianauplink[.]site

Indicators of Compromise – domain names currently not resolving or content removed

in-uplink-gov[.]com
govs-claimant[.]online
uplink.in.gov-t[.]in
gov-t[.]in
www[.]upiink[.]ln[.]gov-t[.]in
www[.]uplink[.]in[.]gov-t[.]in
upiink[.]ln[.]gov-t[.]in
govs[.]indianaswork-forces[.]online
gov.indianaswork-forces[.]online
govt.indianaswork-forces[.]online
www[.]uplinkswork-ones.online[.]indianaswork-forces[.]online
indianaswork-forces[.]online
www.gov.indianaswork-forces[.]online
www.govns.indianaswork-forces[.]online
www.govs.indianaswork-forces[.]online
govn.indianaswork-forces[.]online
uplinkswork-ones.online.indianaswork-forces[.]online
mail.indianaswork-forces[.]online
govns.indianaswork-forces[.]online
www.govts.indianaswork-forces[.]online
www.govt.indianaswork-forces[.]online
www.govn.indianaswork-forces[.]online
govs.uplinkswork-ones[.]online
www.gov.uplinkswork-ones[.]online
uplinkswork-ones[.]online
www.indiana.uplinkswork-ones[.]online
gov.uplinkswork-ones[.]online
www.govs.uplinkswork-ones[.]online
indiana.uplinkswork-ones[.]online

Website | + posts