Shreshta Blog

We uncover badness.

Phishing website targeting Indiana Department of Workforce Development

Phishing campaign targeting Indiana Department of Workforce Development’s (DWD) Uplink

/ Threat Intelligence / By

On the 21st of January, security researchers at Shreshta IT, had uncovered a phishing website impersonating the Indiana Department of Workforce Uplink website. During further investigations, we discovered a more extensive phishing campaign.

About Indiana Department of Workforce Development’s (DWD)

Uplink is the name of the Indiana Department of Workforce Development’s automated self-service unemployment Insurance system.

The Uplink claimant self-service system enables users to receive improved customer service and reduces the time needed for processing unemployment insurance claims.1

Phishing page #1 – www[.]gov[.]indianauplink[.]site impersonating DWD
Image – screenshot of www[.]gov[.]indianauplink[.]site phishing website
The “forget username” and “forget password” links on the phishing website www[.]gov[.]indianauplink[.]site are non-functional
The "forget username" and "forget password" links on the phishing website www.gov.indianauplink.site are non-functional
Image – screenshot of www[.]gov[.]indianauplink[.]site phishing websites login section
The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page
The phishing website www[.]gov[.]indianauplink[.]site accepts false login details and redirects to a Two-factor authentication page
Image – screenshot of the login section in the phishing webpage
The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code
The Two-factor authentication page on www[.]gov[.]indianauplink[.]site accepts false access code
Image – Screenshot of www[.]gov[.]indianauplink[.]site/auth.php page of the phishing website
Threat Indicators
  • The domain name www[.]gov[.]indianauplink[.]site was registered by PDR Ltd. d/b/a PublicDomainRegistry.com    
  • Domain name registration date – 08-01-2023
  • The website domain name resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The website accepts any login credentials, regardless of their legitimacy.
  • The phishing website has links that redirect to the official website of the Indiana State Government1
Phishing website #2 – www[.]uplink[.]gov-in[.]in impersonating DWD
Phishing website #2 - www[.]uplink[.]gov-in[.]in impersonating DWD
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing website
The “forget username” and “forget password” links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional
The "forget username" and "forget password" links on the phishing website www[.]uplink[.]gov-in[.]in are non-functional
Image – screenshot of www[.]uplink[.]gov-in[.]in phishing websites login section
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
Image – screenshot of the login section in the phishing webpage
The Two-factor authentication page on www[.]uplink[.]gov-in[.]in does not accept false access code
The Two-factor authentication page on www.uplink.gov-in.in does not accept false access code
Image – Screenshot of https://www[.]uplink[.]gov-in[.]in/CSSLogon.html/Logon2FA page of the phishing websites
Threat Indicators
  • The domain name www[.]uplink[.]gov-in[.]in was registered by Own Web Solution Pvt. Ltd.
  • Domain name registration date – 11-01-2023
  • The domain name www[.]uplink[.]gov-in[.]in resolves to the IP address 198.12.125.130
  • The IP address 198.12.125.130 belongs to AS36352 (ColoCrossing)
  • The phishing website has links that redirect to the official website of the Indiana State Government1
  • The phishing website accepts false login details randomly and redirects the user to the two-factor authentication page
  • The phishing website www[.]uplink[.]gov-in[.]in is an improvement over the prior one www.gov.indianauplink.site, utilising error displays to convince the user they are accessing a legitimate site
Motive

The motive of the attackers is to harvest the Personally Identifiable Information (PII) of the user:

  • Complete name and address
  • Social Security Number
  • Personal Identification (demographics such as date of birth, Etc.)
Indicators of Compromise

indianuplinks[.]online
www.gov[.]indianuplinks[.]online
gov[.]indianuplinks[.]online
govs[.]indianuplinks[.]online
gov-in[.]in
up.ink.gov-in[.]in
upiink.gov-in[.]in
www.upiink.gov-in[.]in
up.lnk.gov-in[.]in
www.up.ink.gov-in[.]in
www.uplink.gov-in[.]in
uplnk.gov-in[.]in
uplink.gov-in[.]in
www.uplnk.gov-in[.]in
www.up.lnk.gov-in[.]in
www.upink.gov-in[.]in
upink.gov-in[.]in
uplink-gov-ui[.]in
mail.uplink-gov-ui[.]in
govs.indianauplink[.]site
www.gov.indianauplink[.]site
mail.indianauplink[.]site
indianauplink[.]site
www.govs.indianauplink[.]site
gov.indianauplink[.]site

Indicators of Compromise – domain names currently not resolving or content removed

in-uplink-gov[.]com
govs-claimant[.]online
uplink.in.gov-t[.]in
gov-t[.]in
www[.]upiink[.]ln[.]gov-t[.]in
www[.]uplink[.]in[.]gov-t[.]in
upiink[.]ln[.]gov-t[.]in
govs[.]indianaswork-forces[.]online
gov.indianaswork-forces[.]online
govt.indianaswork-forces[.]online
www[.]uplinkswork-ones.online[.]indianaswork-forces[.]online
indianaswork-forces[.]online
www.gov.indianaswork-forces[.]online
www.govns.indianaswork-forces[.]online
www.govs.indianaswork-forces[.]online
govn.indianaswork-forces[.]online
uplinkswork-ones.online.indianaswork-forces[.]online
mail.indianaswork-forces[.]online
govns.indianaswork-forces[.]online
www.govts.indianaswork-forces[.]online
www.govt.indianaswork-forces[.]online
www.govn.indianaswork-forces[.]online
govs.uplinkswork-ones[.]online
www.gov.uplinkswork-ones[.]online
uplinkswork-ones[.]online
www.indiana.uplinkswork-ones[.]online
gov.uplinkswork-ones[.]online
www.govs.uplinkswork-ones[.]online
indiana.uplinkswork-ones[.]online

Pranay Patil
Website | + posts