The OPM emails are not specifically targeting those hit by the breach.
The OPM emails are not specifically targeting those hit by the breach.

Cybercriminals attempting to place Locky ransomware are posing as Office of Personnel Management (OPM) employees to con their victims into opening their phishing email and its malware-laden attachment.

However, despite this somewhat ingenious ploy to play upon knowledge of the massive OPM hack that took place in 2015, Brendan Griffin, PhishMe's threat intelligence manager, said the email messages are severely flawed. The emails tell the recipients that suspicious activity is taking place in one of their bank accounts and the problem has to be addressed immediately. The email signature contains a name, phone number and an address purportedly from OPM in Washington, D.C., and a .zip attachment containing a Javascript application that can inject Locky.

“However, the email message really missed the mark,” Griffin told SC Media in an email. "The OPM isn't really likely to be notifying people of 'suspicious movement' in their bank account."

Even though the OPM name is being used as evidence of its legitimacy, those being targeted are not government employees and the only way they might be one of the 21.5 million affected by the OPM breach would be by accident, Griffin said. He also does not believe the email addresses used for the phishing attack were taken during the OPM breach, but came from another source.

“They're doing a particular calculus to find a way to maximize the infection rate,” he said. "They may expect that with the vast number of people affected by the OPM incident, they're likely to reach at least some of that group with these emails. They also expect that other people will also be willing to engage with the emails' attachments and also become victimized by the Locky ransomware. This is a win-win scenario for the threat actor."