Helpful Navigation Toolbar

Friday, June 5, 2015

Post OPM Breach...let the phishing begin!!

Hello again readers! As you may already know, last evening the Office of Personnel Management (OPM) admitted they sustained a data breach where they "lost 4 million records". In reality the number is probably much higher than that and the attack probably did not actually possess a "never before seen level of sophistication" or use a "previously unknown zero day attack" or any of the other "it is not our fault" mumbo jumbo that is usually seen after a data breach is admitted publicly. 

However, this blog post is not going to cover any of that, instead it is going to focus on two phishing emails I received last night that were possibly related to my own information being compromised in the breach, as my personal information is held by OPM as I was in the DoD (as a member of the US Air Force) and still currently hold a security clearance. (NOTE: I have not been notified that any of my information was compromised, and it could be completely unrelated. But...I mean....come on)

The phishing starts....

Last night I received two phishing emails that were related to "my Navy Federal Credit Union account". This is interesting because although I have indeed served in the military, I do not have any accounts with Navy Federal Credit Union at all. 

Two emails received from "Navy Federal"

The first email was received at 19:05:07 and the second was received at 19:53:17, so in less than an hour I had two phishing attempts. Once again, I cannot definitively say that it is related to the OPM breach, but the timing is suspect, to say the least.

Email 1: Your Account Statements is Now Avaliable

This was the first email that I received, with typical spelling errors and grammatical mistakes. As I have stated many times in the past, a "sophisticated" phishing email is one with no misspelled words or grammatical errors. This is clearly NOT in the sophisticated category. The link redirects to the domain "http://rudivervoort[.]be/SP/", which clearly does not seem to be legitimate for the Navy Federal Credit Union website. The email address is listed as "", which is also NOT the domain of Navy Federal Credit Union. UPDATE: The url in the email is now listed on virustotal as well!

Original email

Email with some grammar and spelling issues highlighted

Email header information

VirusTotal results from link in email

Email 2: Account Review Notice!

This email was sent later and is crafted a little bit better than the first. There are no spelling errors, although there are quite a few grammatical errors. Analysis of the email header shows it "originated" in the same Canadian IP addresses as the first phishing email, which may suggest they were related. The redirect link is a shortened URL, which should not happen in a legitimate email from your banking institution. In fact, the URL is shown on VirusTotal as malicious (already!). The email address this time around is listed as "". The first email address, in my opinion, was better.

Original email

Grammar highlighted

Email header information

VirusTotal results on link in email

Regardless of whether these emails are actually related to the OPM breach or not, it does highlight the importance of taking some safety precautions to avoid falling for phishing emails: 

  • Always ensure you read an email thoroughly. Look out for spelling and grammar issues; if it seems strange, it probably is
  • Hover over links before clicking on them
  • Better yet, do not click on ANY link from your bank, credit card company, shipping company, etc. Log into the website of your service provider directly if you get an "important message" from them

A very timely Dilbert comic strip. Retrieved June 5, 2015 from


  1. why not report on virustotal, giving it a score ??

    1. Thanks for the comment, the domain from the first email is now up on virustotal as well.

  2. I agree that the phishing will increase with the OPM breach, but I don't think that the Navy FCU phishing emails are related. I've been getting phishing emails purporting to be the Navy FCU since January and I've never been employed by the federal government. One url that I ran through IBM X-Force had an IP in the United Kingdom and has been seen distributing malware since August 2014.

    1. Collin, I agree, it might be related, or it might not be, the timing does seem awfully suspect though. I (personally) have never gotten a NFCU phish before yesterday.

      One of the things that was brought up be a good friend of mine is a correlation of data between from the OPM breach and the Adult Friend Finder breach, just to see how much overlap is actually there :)

  3. I've investigated a number of breaches caused by dedicated adversaries, as well as been privy to many more, and to be honest, there is nothing terribly "sophisticated" about the attacks. The issue comes from the fact that many times, the compromised organization will claim that the adversary brought "sophisticated hacking tools" such as at.exe with them...because the org certainly never installed it!

    1. Absolutely true. In my experience, out of every 100 cases, 2-3 are "sophisticated" and even those sometimes leverage the malware itself horribly (for example, I worked a case with some really good polymorphic malware, but the persistence mechanism was Current Version/Run and each time it was installed on a system it beaconed to a known IP address, so spotting infected systems was really easy. Much easier than it could have been).

      It's been a little over a week now and I saw this was apparently caught by a demo of a product. The saddest thing, in my opinion, is that if OPM had just looked at their own network, they probably would have caught it long ago. If more organizations and businesses did that on a regular basis (take the time to look and evaluate what data they do have and can collect) many of these data breaches would be discovered in a much more timely fashion.