Emails claiming to come from the agency and contractor CSID might be after money, U.S. secrets or both, say experts.
This story was updated July 2 to include details from DHS.
A Department of Homeland Security crisis response squad is cautioning about deceitful emails that claim to come from either the Office of Personnel Management or the fraud-prevention firm hired to protect identities netted in the gargantuan hack at OPM.
A DHS U.S. Computer Emergency Readiness Team advisory, issued late June 30, mirrors warnings from security experts in June about the risks of OPM’s email notification strategy.
After disclosing that Social Security numbers of 4.2 million past and current federal employees had been compromised, OPM instructed affected personnel to visit a nongovernment website and enter personal information for ID theft assistance.
The firm, CSID, to the chagrin of experts, then emailed affected personnel the same instructions from its own commercial address, email@example.com, not one with a trusted dot-gov suffix.
The immediate prediction was that ID thieves would mimic OPM or CSID, direct federal employees to credential-stealing sites and revictimize the feds.
Now, US-CERT appears to be acknowledging a similar problem. Or perhaps, the situation is an extension of the original, years-in-the-making espionage campaign that allegedly is a Chinese military operation, cyber researchers say. The OPM attackers clinched not only Social Security numbers and basic ID information, but an undisclosed number of background check investigations on individuals who can get their hands on classified intelligence.
"US-CERT is aware of phishing campaigns masquerading as emails from the Office of Personnel Management (OPM) or the identity protection firm CSID. For those affected by the recent data breach, the legitimate domain used for accessing identity protection services is https://opm.csid.com," yesterday's advisory states.
Those two sentences are the extent of the government's description of the schemes.
Analysts say the threat could be a broad-brush campaign spamming people who have dot-gov email addresses or people identified as government workers on mailing lists. The phishing emails then bait them to reply with personal information or visit a website that steals their credentials.
"It would be pretty easy to target these emails to dot-gov email addresses," said Johannes Ullrich, dean of research at the SANS Technology Institute, a cybersecurity training center.
It's unclear whether ID thieves are preying on feds fearful that they have been victimized by the OPM breach or whether the OPM cyberspies are at it again.
"Could be either," Ullrich said. "But more likely ID thieves."
DHS spokesman S.Y. Lee declined to clarify the nature of the threat. "I don't have anything to add to what US-CERT released," he said.
Ullrich rated the chances "very likely" that the high-profile hack is being leveraged to orchestrate phishing attacks, "either by the original actors or by someone else taking advantage of the situation."
As of Wednesday afternoon, the Sans Internet Storm Center, which monitors the public Web for abnormal activities, had not yet seen any fraudulent websites or emails that appear to be exploiting feds victimized by the OPM hack. Nor had phishing emails purporting to come from OPM or CSID been forwarded to the center for analysis.
"Most likely, recipients who recognize these emails as phishing would not forward them to us, but to US-CERT or their internal agency instead -- as they should," Ullrich said.
DHS has added a detail to the phishing alert. Illegitimate Web domains masked as official websites play a part in the sketchy email operation, according to a brief amendment. Homeland Security's "US-CERT is aware of suspicious domain names that may be used in phishing campaigns masquerading as official communication from the Office of Personnel Management (OPM) or the identity protection firm CSID," the updated notice states.
The bulletin does not provide examples of the bogus websites, but reminds users the legit site aiding OPM breach victims is https://opm.csid.com.