As DHS issues new phishing alert, experts offer tips to feds

The Homeland Security Department is alerting federal employees and retirees to watch out for scammers trying to take advantage of the uncertainty around the massive data breach suffered by the Office of Personnel Management.

DHS’ U.S. Computer Emergency Readiness Team (US-CERT) warned in a June 30 notice that they are aware of “suspicious domain names that may be used in phishing campaigns masquerading as official communication from the Office of Personnel Management (OPM) or the identity protection firm CSID.”

DHS told employees and retirees only to use domains coming from https://opm.csid.com — the contractor providing identity management protection services to victims of the first cyber attack.

A request to DHS for more details on what federal employees and retirees should be on the look out for, and even examples of those domains, was answered with a simple statement from its spokesman.

Download our online chat with Col. Brandon Pearce, chief information security officer for the National Geospatial-Intelligence Agency.

Advertisement

“[T]he report speaks for itself. Nothing further to elaborate.”

US-CERT only has provided a link to guidance it released in 2009 on phishing attacks.

This leaves more than 4 million current and former feds wondering what should they be on the lookout for?

If most experts agree that the OPM hack wasn’t about traditional identity theft where hackers are after money or credit cards, but rather the attack was about espionage, then isn’t it incumbent for DHS to help the victims of the attack be smarter about what a possible targeted phishing attack may look like?

Federal News Radio asked cyber experts for their best practices and tips for federal employees and retirees to protect them in light of the silence from DHS.

Alma Cole, vice president for cybersecurity at Robbins Gioia and former director of the Department of Homeland Security’s Security Operations Center

How does President Trump's budget proposal impact your agency?

Alma Cole, vice president of cybersecurity, Robbins Gioia
Alma Cole, Robbins Gioia

What you need to know: Cole said with any type of phishing, viewing the email alone is generally not enough to infect a system or compromise information. As long as you don’t click a link, open an attachment or reply to the message there is no immediate risk. But, he warned, just loading images embedded in emails can give attackers or advertisers information about whether the email address is legitimate, and whether you received and viewed an email. In general, he said, it is recommended that you not load images embedded in emails from untrusted sources.

What you need to be on the lookout for: Cole said there are two types of phishing attacks he would expect federal employees and retirees to face.

Phishing scam 1: Cole said a common attack will masquerade as an official OPM or CSID message that will include a malicious link or malicious attachment. The message will try to convince the victim to click on the link or open the attachment, thereby infecting their system with a Trojan capable of stealing additional information and granting an attacker backdoor access into the system. Malicious attachments can be almost any file type including Microsoft Office documents or Adobe PDF files.

Recently, both targeted attackers and criminal organizations have used viruses that leverage Microsoft Office macros to infect systems. Because of advancements in Microsoft Office security, instead of automatically running Office macros, Microsoft now prompts users to see whether they want to enable macros to run in a specific document. If you ever see an Office macro trying to run after opening a file that came through your email, this is usually a very bad sign. If possible, you should alert your security team immediately. Attached viruses may also come inside compressed zip files. A favorite tactic is to disguise executable files inside a zip as a PDF or Office document.

Phishing scam 2: This is a more targeted attack called credential phishing. Cole said, in this case, an attacker attempts to get a user to divulge login or other sensitive information. Credential phishing can use fraudulent websites designed to look like webmail or other account logins. They can also simply request that users reply to an email with the requested information. Additionally, attackers might even use text messages or phone calls to attempt to get account or other sensitive information from users.

As with the previous type of phishing, users should be extremely cautious about following any links sent in email. When examining the sender of the email and the domain link, be sure to view the full email address or link, and focus on the actual domain name, which is the part just before the dot-com, dot-org or dot-gov to assure this matches the organization you think sent the email. In the case of the OPM incident, the legitimate emails should all be coming from the vendor that OPM has hired: CSID.com.

Rodney Joffe, a fellow and distinguished engineer at Neustar , who also has advised the White House on cybersecurity issues 

Rodney Joffe, senior vice president, Neustar
Rodney Joffe, Neustar

What you need to know: Joffe said these are not your run-of-the-mill hackers who stole huge troves of data from OPM. He said it’s very clear they are savvy and likely will not make the usual mistakes found in phishing emails, such as spelling errors or language errors. Joffe said phishing emails will include logos and other features that will be accurate and well rendered, adding to the challenge of identifying fake emails.

What you need to be on the lookout for: Since these are experienced hackers, they likely will attempt to use domain names and URLs that utilize alternate top level domains. Joffe said CSID.co is already registered by someone unknown, possibly someone with ill intentions. Other top level domains such as CSID.INFO and OPM-BREACH.COM were both still available. Joffe said he registered those domains to protect them from bad guys.

He said the government needs to think like the bad guys and take hold of the domains that could be used to redirect unsuspecting feds or retirees to malicious sites. Joffe said hackers also may use Internationalized Domain Names homograph attacks. He said this is already occurring where an attack will try to deceive users about what remote system they are communicating with by utilizing similar looking letters. One example on Wikipedia: a person frequenting Citibank.com may be lured to click a link in which the Latin C is replaced with a Cyrillic С.

John Pescatore, director of emerging security trends for the SANS Institute 

John Pescatore, SANS Institute
John Pescatore, SANS Institute

What you need to know: Cyber criminals are following a common pattern that once a major breach is reported, they target victims with bogus emails such as, “We apologize for the breach. Please click here to sign up for your free credit monitoring services.” Pescatore said the standard recommendation after a breach is that all official communication to impacted parties should be via physical snail mail and NOT via email. The only contact via email should be to tell those parties “We will not contact you via email after this … .”

Pescatore said federal employees generally have to work within the bounds of whatever email security controls and anti-phishing capabilities their agency has put in place. But retirees or home users should take advantage of anti-phishing capabilities that all browsers have these days. They can also use free services such as OpenDNS at home to have stronger protection against phishing attacks.

What you need to be on the lookout for: Pescatore said the best piece of advice he can offer is for employees and retirees to think before clicking on links in email, the same way you think about cigarette smoking. Just break the habit, or sooner or later bad things are going to happen. He also said change your passwords and don’t use the same ones for all your sites. He said, when possible, sign up for two-step verification that sends a text message to your phone.

Pescatore also pointed employees and retirees to SANS “OUCH!” newsletter, which details common phishing attacks and how users can protect themselves.