Phishing campaign targeting Indiana Department of Workforce Development’s (DWD) Uplink

On the 21st of January, security researchers at Shreshta, had uncovered a phishing website impersonating the Indiana Department of Workforce Uplink website. During further investigations, we discovered a more extensive phishing campaign.

Get free access to Newly registered domain names (NRD) community feeds

Newly registered domain names or recently registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.

By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs.

Get no-cost access to our newly registered domain names(NRD) community feeds.

Download the free NRD community feeds

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service unemployment Insurance system.

The Uplink claimant self-service system enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims.¹

Phishing page #1 – www[.]gov[.]indianauplink[.]site impersonating DWD

The “forget username” and “forget password” links on the phishing website www[.]gov[.]indianauplink[.]site are non-functional

The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page

The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code

Threat Indicators

• The domain name www[.]gov[.]indianauplink[.]site was registered by PDR Ltd. d/b/a PublicDomainRegistry.com    
• Domain name registration date – 08-01-2023
• The website domain name resolves to the IP address 198.12.125.130
• The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
• The website accepts any login credentials, regardless of their legitimacy.
• The phishing website has links that redirect to the official website of the Indiana State Government¹

Phishing website #2 – www[.]uplink[.]gov-in[.]in impersonating DWD

The “forget username” and “forget password” links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional

The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code

The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code

Threat Indicators

• The domain name www[.]uplink[.]gov-in[.]in was registered by Own Web Solution Pvt. Ltd.
• Domain name registration date – 11-01-2023
• The domain name www[.]uplink[.]gov-in[.]in resolves to the IP address 198.12.125.130
• The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
• The phishing website has links that redirect to the official website of the Indiana State Government¹
• The phishing website accepts false login details randomly and redirects the user to the two-factor authentication page
• The phishing website www[.]uplink[.]gov-in[.]in is an improvement over the prior one www.gov.indianauplink.site, utilising error displays to convince the user they are accessing a legitimate site

Motive

The motive of the attackers is to harvest the Personally Identifiable Information (PII) of the user:

• Complete name and address
• Social Security Number
• Personal Identification (demographics such as date of birth, Etc.)

Indicators of Compromise

indianuplinks[.]online
www.gov[.]indianuplinks[.]online
gov[.]indianuplinks[.]online
govs[.]indianuplinks[.]online
gov-in[.]in
up.ink.gov-in[.]in
upiink.gov-in[.]in
www.upiink.gov-in[.]in
up.lnk.gov-in[.]in
www.up.ink.gov-in[.]in
www.uplink.gov-in[.]in
uplnk.gov-in[.]in
uplink.gov-in[.]in
www.uplnk.gov-in[.]in
www.up.lnk.gov-in[.]in
www.upink.gov-in[.]in
upink.gov-in[.]in
uplink-gov-ui[.]in
mail.uplink-gov-ui[.]in
govs.indianauplink[.]site
www.gov.indianauplink[.]site
mail.indianauplink[.]site
indianauplink[.]site
www.govs.indianauplink[.]site
gov.indianauplink[.]site

Indicators of Compromise – domain names currently not resolving or content removed

in-uplink-gov[.]com
govs-claimant[.]online
uplink.in.gov-t[.]in
gov-t[.]in
www[.]upiink[.]ln[.]gov-t[.]in
www[.]uplink[.]in[.]gov-t[.]in
upiink[.]ln[.]gov-t[.]in
govs[.]indianaswork-forces[.]online
gov.indianaswork-forces[.]online
govt.indianaswork-forces[.]online
www[.]uplinkswork-ones.online[.]indianaswork-forces[.]online
indianaswork-forces[.]online
www.gov.indianaswork-forces[.]online
www.govns.indianaswork-forces[.]online
www.govs.indianaswork-forces[.]online
govn.indianaswork-forces[.]online
uplinkswork-ones.online.indianaswork-forces[.]online
mail.indianaswork-forces[.]online
govns.indianaswork-forces[.]online
www.govts.indianaswork-forces[.]online
www.govt.indianaswork-forces[.]online
www.govn.indianaswork-forces[.]online
govs.uplinkswork-ones[.]online
www.gov.uplinkswork-ones[.]online
uplinkswork-ones[.]online
www.indiana.uplinkswork-ones[.]online
gov.uplinkswork-ones[.]online
www.govs.uplinkswork-ones[.]online
indiana.uplinkswork-ones[.]online