Advisory: Increased targeted phishing of OK municipalities

Recently, we have had a sudden rise in reports of phishing and scams from OMAG member cities and towns.

These have been more sophisticated than the attacks that we are typically used to seeing. These attacks have used spoofing techniques that make them more difficult to detect, and language that only gives off subtle hints that it might be a scam.

We are worried that this uptick in attacks may be organized, though we are still investigating.

OMAG wants our members to be especially vigilant during this time, since a disruption in municipal services due to malware or extortion could be especially difficult during an election cycle and when preparing for the upcoming holidays.

Key points of advice are:

  1. always to be extremely careful when dealing with links in emails

  2. check carefully for misspellings or “typos” in domain names or email addresses that you are familiar with.

  3. if you aren’t expecting a file from someone, don’t open an attachment

  4. if someone you know has sent you an email that you aren’t sure about, please contact them through a known phone number to ask them if the email is legitimate before opening the link or clicking the attachment.

This is by no means an exhaustive list of precautions.  As stated above, the attacks we have seen this week are more sophisticated, and I wanted to give an example of the pattern we saw.

Below I have excerpted a short template from an email that was maliciously sent out by an attacker who was able to spoof one of our cities this week:

Hello,

[CITY NAME] invites your firm to submit a proposal for the above-referenced services in accordance with this RFP package. 

See the attached document for detailed information : [MALICIOUS LINK GOING TO CANVA.COM ]

[…]Due to the size of some of the electronic RFP documents, Owner has uploaded them to the SharePoint” website.

Bidder can access the electronic RFP documents via this weblink: [SAME MALICIOUS LINK GOING TO CANVA.COM ]

(Please advise if there are any technical issues accessing these files)

The email this came from did not have any OBVIOUS signs of a spoofed email address, so we have to look carefully at the language used.  The email uses “above referenced” when there was nothing above that line, other than “Hello,”.  If this was received as a reply to an already existing email chain, it might be more convincing.  But it’s presence in a brand new email should be a dead giveaway that something is off.  The use of “Owner” as if it were a proper name is also a clue that a template may have been used to create this phishing email, and they didn’t know who to put as the boss. This phishing email was polite, which is unfortunate for us because usually, an urgent or threatening tone is an important clue that an email is phishing.  There are other things, like referring to an attachment when the email only has links.  That could be picked up as a clue that it came from a phishing template, yet it could also be written off as an honest mistake by someone writing a legitimate email to a large group. As we all learn the patterns better, the attackers are learning too.

So please be especially cautious as the calendar leads up to the end of this year.  Try to recognize the patterns and use your best judgment.

When in doubt, getting in touch with someone on the phone through a known main number is still a very good way to try to confirm the legitimacy of an email.

Print Friendly and PDF