Hello again readers! As you may already know, last evening the Office of Personnel Management (OPM) admitted they sustained a data breach where they "lost 4 million records". In reality the number is probably much higher than that and the attack probably did not actually possess a "never before seen level of sophistication" or use a "previously unknown zero day attack" or any of the other "it is not our fault" mumbo jumbo that is usually seen after a data breach is admitted publicly.
However, this blog post is not going to cover any of that, instead it is going to focus on two phishing emails I received last night that were possibly related to my own information being compromised in the breach, as my personal information is held by OPM as I was in the DoD (as a member of the US Air Force) and still currently hold a security clearance. (NOTE: I have not been notified that any of my information was compromised, and it could be completely unrelated. But...I mean....come on)
The phishing starts....
Last night I received two phishing emails that were related to "my Navy Federal Credit Union account". This is interesting because although I have indeed served in the military, I do not have any accounts with Navy Federal Credit Union at all.
|Two emails received from "Navy Federal"|
The first email was received at 19:05:07 and the second was received at 19:53:17, so in less than an hour I had two phishing attempts. Once again, I cannot definitively say that it is related to the OPM breach, but the timing is suspect, to say the least.
Email 1: Your Account Statements is Now Avaliable
This was the first email that I received, with typical spelling errors and grammatical mistakes. As I have stated many times in the past, a "sophisticated" phishing email is one with no misspelled words or grammatical errors. This is clearly NOT in the sophisticated category. The link redirects to the domain "http://rudivervoort[.]be/SP/", which clearly does not seem to be legitimate for the Navy Federal Credit Union website. The email address is listed as "firstname.lastname@example.org", which is also NOT the domain of Navy Federal Credit Union. UPDATE: The url in the email is now listed on virustotal as well!
|Email with some grammar and spelling issues highlighted|
|Email header information|
|VirusTotal results from link in email|
Email 2: Account Review Notice!
This email was sent later and is crafted a little bit better than the first. There are no spelling errors, although there are quite a few grammatical errors. Analysis of the email header shows it "originated" in the same Canadian IP addresses as the first phishing email, which may suggest they were related. The redirect link is a shortened URL, which should not happen in a legitimate email from your banking institution. In fact, the URL is shown on VirusTotal as malicious (already!). The email address this time around is listed as "Nfcu_navyfederal@net2.com". The first email address, in my opinion, was better.
|Email header information|
|VirusTotal results on link in email|
Regardless of whether these emails are actually related to the OPM breach or not, it does highlight the importance of taking some safety precautions to avoid falling for phishing emails:
- Always ensure you read an email thoroughly. Look out for spelling and grammar issues; if it seems strange, it probably is
- Hover over links before clicking on them
- Better yet, do not click on ANY link from your bank, credit card company, shipping company, etc. Log into the website of your service provider directly if you get an "important message" from them
|A very timely Dilbert comic strip. Retrieved June 5, 2015 from http://dilbert.com/strip/2005-08-12|