OPM Hack Update, Part 2

Over a month has elapsed since the public was informed of the largest data hack in U.S government history. In the four (4) weeks it has been offline, the OPM said it has upgraded its security. The agency further enhanced password protections, secured the transmission of data within the application, and implemented additional protections against external threats. OPM has also promised at least three (3) years of credit monitoring and identity theft protection to the affected people.

With major incidents in recent months including the Sony attack, cyber attacks against the health care provider Anthem that compromised the records of some 80 million people, attacks against State Department and White House networks from suspected Russian government-linked hackers, and an Iranian-backed cyber attack against the Sands casino in Las Vegas, it is impossible to let your guard down. The best protection for hack victims ( you!) is to learn how to spot deception in emails, phone calls, and social interactions. “Every government employee, every victim, and every immediate family member of a victim need the training to recognize potential threats emerging from the compromised information,” advises a report on the hack’s national security ramifications by the Institute for Critical Infrastructure Technology.

Put these General Security Tips into daily practice so you do not become another statistic. Below you will find red flags to spot for and how to determine if the source is legitimate:

1. Phishing scam type 1. An official OPM or CSID message that includes a malicious link or malicious attachment. The message will try to convince the victim to click on the link or open the attachment, thereby infecting their system with a Trojan capable of stealing additional information and granting an attacker backdoor access into the system. Malicious attachments can be almost any file type including Microsoft Office documents or Adobe PDF files. To be certain that these emails are legitimate, check the domain name. Emails from CSID (the contractor currently providing identity management protection services to victims of the first cyber-attack until mid-August 2015) should only come from https://opm.csid.com —so the email should look like name@csid.com (the text following after the @ symbol is the domain name).
   In addition, Valeo Networks would like to point out that official emails from government officials are typically digitally signed. How to spot this:

    

   1. Look for the red ribbon icon in your email which shows that an email is signed.
   2. Check to see if the digital signature is trusted by an official Certificate Authority. Typical government digital certificates are authorized by a DoD Root CA.
2. Phishing scam 2: credential phishing. An attacker attempts to get a user to divulge login or other sensitive information. Credential phishing can use fraudulent websites designed to look like webmail or other account logins. They can also simply request that users reply to an email with the requested information. Additionally, attackers might even use text messages or phone calls to attempt to get account or other sensitive information from users.
3. Phishing scam 3: impersonating co-worker or close person. Scammers would impersonate as someone in your company and may even spoof the email so it looks exactly like the domain name. If the email looks suspicious, check the message headers of the email and see where the email is coming and/or contact your IT.
4. Domain names that look legit but use similar looking letters.  One example on Wikipedia: a person frequenting Citibank.com may be lured to click a link in which the Latin C is replaced with a Cyrillic С.
5. Embedded images in emails. Even though viewing the phishing email alone is generally not enough to infect a system or compromise information, loading images embedded in emails can give attackers or advertisers information about whether the email address is legitimate, and whether you received and viewed an email. Best practices recommend that you do not load images embedded in emails from untrusted sources.
6. Executable files inside a zip as a PDF or Office document.
7. Macros in a specific document.

Don’t be a victim to cyberattacks!

Valeo Networks (Valeo Networks) is a Managed Services Provider that can help protect your organization. Contact one of our IT regional offices, California (805) 222-4977 or Florida (321) 604-6165 or check out our website for a full list of our offered services.

Resources

OnGuard Online: https://www.onguardonline.gov/phishing

OpenDNS Phishing Project: https://www.opendns.com/