“Not Today, ISIS!” Email Phishing Scams Directed At The Military Are Getting Sneakier

“Not Today, ISIS!” Email Phishing Scams Directed At The Military Are Getting Sneakier
by Scott Faith

At work earlier this week, I received a “very important” message from someone I didn’t know.  I could tell it was important because subject line said so, and the greeting was IN ALL CAPS.  You KNOW shit just got real if it’s in all caps:

/////

ATTENTION SCOTT FAITH,

Your account was been listed as possibly targeted during a recent cyber attack aimed at 585th Signal personnel.  In order to ensure that your personnel information has not been compromised copy the link below and paste it into your browser.

http://www.<redacted>******** <—I deleted the actual address so some idiot doesn’t click on it

Check the list of all affected users.  If your account was unsuccessful no further action is needed.  If you are in the compriseded users column please use the link provided to obtain further instructions.

The actions needs compelted NOW to avoid account lockout.

Donovan Mueller
Cyber Operations Specialist
585th Cyber Team
NIPR: donovan.mueller2.clr@mail.mll

/////

lol yeah I’ll get right on that, “Donovan.”  Not today, ISIS!

Now, I’m not going to point out all of the issues with this email, because I don’t want to help the bad guys improve their TTPs.  But I want to point out the tricky part:  the email address in the last line of the message.  Look at it closely.

NIPR: donovan.mueller2.clr@mail.mll

The .mll ending used by the attempted hackers very, very closely mimics the legit .mil domain used by the military.  In fact, because of the font we use in our emails and the small size on the screen, I didn’t even notice it at first.  What I did notice was… well, like I said, I’m not interested in helping the bad guys get better.  But I wanted to point out this technique, because I never saw it before in any of the scores of similar messages I regularly get.

It would be too easy for someone who was in a hurry, or simply wanting to do the right thing, to think that this was legitimate.  As confirmed by our security people after I forwarded them the message, it’s 100% bogus.

Cyber security is important.  It’s hard to keep the bad guys out, but let’s not make it easy for them.  Don’t let people rush you into sending information or trick you into clicking links or opening files.  Don’t follow links or open files that are sent to you by people you don’t know, and if something looks sketchy, get it reported–BEFORE you start bouncing around the Internet or opening up files of God-knows-what.  Cyber security, like all security, is a collective task for which we are ALL responsible.  Stay safe out there.