Phishing website targeting Indiana Department of Workforce Development

Phishing campaign targeting Indiana Department of Workforce Development’s (DWD) Uplink

On the 21st of January, security researchers at Shreshta, had uncovered a phishing website impersonating the Indiana Department of Workforce Uplink website. During further investigations, we discovered a more extensive phishing campaign.

Get free access to Newly registered domain names (NRD) community feeds

Newly registered domain names or recently registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.

By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs.

Get no-cost access to our newly registered domain names(NRD) community feeds.

Download the free NRD community feeds

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service unemployment Insurance system.

The Uplink claimant self-service system enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims.1

Phishing website of Indiana Department of Workforce Development (DWD)
Image – screenshot of www[.]gov[.]indianauplink[.]site phishing website
Phishing website of Indiana Department of workforce Development showing the Login screen
Image – screenshot of www[.]gov[.]indianauplink[.]site phishing websites login section
Phishing website of Indiana Department of workforce Development showing the Login screen
Image – screenshot of the login section in the phishing webpage
Phishing page of Indiana Department of Workforce  showing two-factor authentication
Image – Screenshot of www[.]gov[.]indianauplink[.]site/auth.php page of the phishing website
Threat Indicators
  • The domain name www[.]gov[.]indianauplink[.]site was registered by PDR Ltd. d/b/a PublicDomainRegistry.com    
  • Domain name registration date – 08-01-2023
  • The website domain name resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The website accepts any login credentials, regardless of their legitimacy.
  • The phishing website has links that redirect to the official website of the Indiana State Government1
Phishing website  of Indiana Department of Workforce
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing website
Phishing website of Indiana Department of workforce Development showing the Login screen
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing websites login section
The phishing page of Indiana Department of workforce Development showing the two factor authentication
Image – screenshot of the login section in the phishing webpage
The phishing page of Indiana Department of workforce Development showing the two factor authentication
Image – Screenshot of https://www[.]uplink[.]gov-in[.]in/CSSLogon.html/Logon2FA page of the phishing websites
Threat Indicators
  • The domain name www[.]uplink[.]gov-in[.]in was registered by Own Web Solution Pvt. Ltd.
  • Domain name registration date – 11-01-2023
  • The domain name www[.]uplink[.]gov-in[.]in resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The phishing website has links that redirect to the official website of the Indiana State Government1
  • The phishing website accepts false login details randomly and redirects the user to the two-factor authentication page
  • The phishing website www[.]uplink[.]gov-in[.]in is an improvement over the prior one www.gov.indianauplink.site, utilising error displays to convince the user they are accessing a legitimate site

Motive

The motive of the attackers is to harvest the Personally Identifiable Information (PII) of the user:

  • Complete name and address
  • Social Security Number
  • Personal Identification (demographics such as date of birth, Etc.)

Indicators of Compromise

indianuplinks[.]online
www.gov[.]indianuplinks[.]online
gov[.]indianuplinks[.]online
govs[.]indianuplinks[.]online
gov-in[.]in
up.ink.gov-in[.]in
upiink.gov-in[.]in
www.upiink.gov-in[.]in
up.lnk.gov-in[.]in
www.up.ink.gov-in[.]in
www.uplink.gov-in[.]in
uplnk.gov-in[.]in
uplink.gov-in[.]in
www.uplnk.gov-in[.]in
www.up.lnk.gov-in[.]in
www.upink.gov-in[.]in
upink.gov-in[.]in
uplink-gov-ui[.]in
mail.uplink-gov-ui[.]in
govs.indianauplink[.]site
www.gov.indianauplink[.]site
mail.indianauplink[.]site
indianauplink[.]site
www.govs.indianauplink[.]site
gov.indianauplink[.]site

Indicators of Compromise – domain names currently not resolving or content removed

in-uplink-gov[.]com
govs-claimant[.]online
uplink.in.gov-t[.]in
gov-t[.]in
www[.]upiink[.]ln[.]gov-t[.]in
www[.]uplink[.]in[.]gov-t[.]in
upiink[.]ln[.]gov-t[.]in
govs[.]indianaswork-forces[.]online
gov.indianaswork-forces[.]online
govt.indianaswork-forces[.]online
www[.]uplinkswork-ones.online[.]indianaswork-forces[.]online
indianaswork-forces[.]online
www.gov.indianaswork-forces[.]online
www.govns.indianaswork-forces[.]online
www.govs.indianaswork-forces[.]online
govn.indianaswork-forces[.]online
uplinkswork-ones.online.indianaswork-forces[.]online
mail.indianaswork-forces[.]online
govns.indianaswork-forces[.]online
www.govts.indianaswork-forces[.]online
www.govt.indianaswork-forces[.]online
www.govn.indianaswork-forces[.]online
govs.uplinkswork-ones[.]online
www.gov.uplinkswork-ones[.]online
uplinkswork-ones[.]online
www.indiana.uplinkswork-ones[.]online
gov.uplinkswork-ones[.]online
www.govs.uplinkswork-ones[.]online
indiana.uplinkswork-ones[.]online

Website |  + posts