On the 21st of January, security researchers at Shreshta, had uncovered a phishing website impersonating the Indiana Department of Workforce Uplink website. During further investigations, we discovered a more extensive phishing campaign.
Get free access to Newly registered domain names (NRD) community feeds
Newly registered domain names or recently registered domains can be a potential security risk for organisations. They are often used to host phishing, malware, and other malicious content.
By monitoring or blocking NRDs, enterprises can eliminate the risk of cyber threats posed by NRDs.
Get no-cost access to our newly registered domain names(NRD) community feeds.
Download the free NRD community feeds
About Indiana Department of Workforce Development’s (DWD)
Uplink is the name of the Indiana Department of Workforce Development’s automated self-service unemployment Insurance system.
The Uplink claimant self-service system enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims.1
Phishing page #1 – www[.]gov[.]indianauplink[.]site impersonating DWD
The “forget username” and “forget password” links on the phishing website www[.]gov[.]indianauplink[.]site are non-functional
The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page
![The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page](https://shreshtait.com/blog/wp-content/uploads/2023/02/Screenshot-from-2023-01-31-12-59-14.png)
The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code
![The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code](https://shreshtait.com/blog/wp-content/uploads/2023/02/Screenshot-from-2023-01-31-13-05-19-1024x505.png)
Threat Indicators
- The domain name www[.]gov[.]indianauplink[.]site was registered by PDR Ltd. d/b/a PublicDomainRegistry.com
- Domain name registration date – 08-01-2023
- The website domain name resolves to the IP address 198.12.125.130
- The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
- The website accepts any login credentials, regardless of their legitimacy.
- The phishing website has links that redirect to the official website of the Indiana State Government1
Phishing website #2 – www[.]uplink[.]gov-in[.]in impersonating DWD
![Phishing website #2 - www[.]uplink[.]gov-in[.]in impersonating DWD](https://shreshtait.com/blog/wp-content/uploads/2023/02/phishing-page-2.png)
The “forget username” and “forget password” links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional
![The "forget username" and "forget password" links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional](https://shreshtait.com/blog/wp-content/uploads/2023/02/loginss.png)
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
![The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code](https://shreshtait.com/blog/wp-content/uploads/2023/02/loginerror.png)
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
Threat Indicators
- The domain name www[.]uplink[.]gov-in[.]in was registered by Own Web Solution Pvt. Ltd.
- Domain name registration date – 11-01-2023
- The domain name www[.]uplink[.]gov-in[.]in resolves to the IP address 198.12.125.130
- The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
- The phishing website has links that redirect to the official website of the Indiana State Government1
- The phishing website accepts false login details randomly and redirects the user to the two-factor authentication page
- The phishing website www[.]uplink[.]gov-in[.]in is an improvement over the prior one www.gov.indianauplink.site, utilising error displays to convince the user they are accessing a legitimate site
Motive
The motive of the attackers is to harvest the Personally Identifiable Information (PII) of the user:
- Complete name and address
- Social Security Number
- Personal Identification (demographics such as date of birth, Etc.)
Indicators of Compromise
indianuplinks[.]online
www.gov[.]indianuplinks[.]online
gov[.]indianuplinks[.]online
govs[.]indianuplinks[.]online
gov-in[.]in
up.ink.gov-in[.]in
upiink.gov-in[.]in
www.upiink.gov-in[.]in
up.lnk.gov-in[.]in
www.up.ink.gov-in[.]in
www.uplink.gov-in[.]in
uplnk.gov-in[.]in
uplink.gov-in[.]in
www.uplnk.gov-in[.]in
www.up.lnk.gov-in[.]in
www.upink.gov-in[.]in
upink.gov-in[.]in
uplink-gov-ui[.]in
mail.uplink-gov-ui[.]in
govs.indianauplink[.]site
www.gov.indianauplink[.]site
mail.indianauplink[.]site
indianauplink[.]site
www.govs.indianauplink[.]site
gov.indianauplink[.]site
Indicators of Compromise – domain names currently not resolving or content removed
in-uplink-gov[.]com
govs-claimant[.]online
uplink.in.gov-t[.]in
gov-t[.]in
www[.]upiink[.]ln[.]gov-t[.]in
www[.]uplink[.]in[.]gov-t[.]in
upiink[.]ln[.]gov-t[.]in
govs[.]indianaswork-forces[.]online
gov.indianaswork-forces[.]online
govt.indianaswork-forces[.]online
www[.]uplinkswork-ones.online[.]indianaswork-forces[.]online
indianaswork-forces[.]online
www.gov.indianaswork-forces[.]online
www.govns.indianaswork-forces[.]online
www.govs.indianaswork-forces[.]online
govn.indianaswork-forces[.]online
uplinkswork-ones.online.indianaswork-forces[.]online
mail.indianaswork-forces[.]online
govns.indianaswork-forces[.]online
www.govts.indianaswork-forces[.]online
www.govt.indianaswork-forces[.]online
www.govn.indianaswork-forces[.]online
govs.uplinkswork-ones[.]online
www.gov.uplinkswork-ones[.]online
uplinkswork-ones[.]online
www.indiana.uplinkswork-ones[.]online
gov.uplinkswork-ones[.]online
www.govs.uplinkswork-ones[.]online
indiana.uplinkswork-ones[.]online
