Cyber-Criminals Spoof Texas Government

Written by

Cyber-criminals have tried to receive free goods by posing as the Texas government and emailing out Requests for Quotes (RFQs).

The multi-layered email attack, in which threat actors pretended to be from the Texas Department of State Health Services, was discovered by researchers at Abnormal Security

"If unsuspecting salespersons were to respond to this initial request, attackers could establish a line of communication and eventually follow-through with the requested goods," noted researchers. 

Using what appears to be a genuine government purchase order, the attackers attempted to obtain products worth hundreds of thousands of dollars without handing over a penny.

Attackers addressed an email to the sales department, expressing intent to purchase 20 laptops and 200 external hard drives. Attached to the email was a fake order form that featured a convincing phone number and billing address. 

"Although this purchase order contains a government billing address, the government entities will not receive payment from the fraudulent vendor," noted researchers. "The attackers' goal is to retrieve merchandise, and later profit from the resale of the stolen goods."

To obfuscate their true location and identification, the attackers leveraged several convincing domains and masked their true location by using a VPN service. 

"The email appears to be sent from a domain, while the reply-to is from," observed researchers. "Finance-nycgov.usa is a domain that was registered just 2 months ago (07/06/2020) to a resident in Washington State and is an impersonation of 

"In addition, the received-spf has a domain, and the IP originates from a VPN service based out of Denver, CO."

Careful attention had been paid by the attackers to the fine details. The deceptive email included the genuine logo of Texas Health and Human Services, and the request appeared to be sent by John William Hellerstedt, MD, the genuine commissioner of Texas Health. 

Researchers noted: "The phone number provided is not associated with the 'bill to' address, although the area code is in Texas and does match the area code for the department of state health services phone number. This is a social engineering tactic aimed to engage recipients into requesting the ship to address, either by email or phone.”

What’s hot on Infosecurity Magazine?