Cybercriminals attempting to place Locky ransomware are posing as Office of Personnel Management (OPM) employees to con their victims into opening their phishing email and its malware-laden attachment.
“However, the email message really missed the mark,” Griffin told SC Media in an email. “The OPM isn’t really likely to be notifying people of ‘suspicious movement’ in their bank account.”
Even though the OPM name is being used as evidence of its legitimacy, those being targeted are not government employees and the only way they might be one of the 21.5 million affected by the OPM breach would be by accident, Griffin said. He also does not believe the email addresses used for the phishing attack were taken during the OPM breach, but came from another source.
“They’re doing a particular calculus to find a way to maximize the infection rate,” he said. “They may expect that with the vast number of people affected by the OPM incident, they’re likely to reach at least some of that group with these emails. They also expect that other people will also be willing to engage with the emails’ attachments and also become victimized by the Locky ransomware. This is a win-win scenario for the threat actor.”