USPS Employees Get Fake USPS Phishing Emails, Too
Here's an inside peak at what happens next.
Postal Service personnel, who, like all of us, receive bogus emails claiming to be from the USPS, have a few ways of dealing with the threats that are sometimes part of mass spam campaigns and occasionally hack attempts targeted at feds.
An exchange of emails among users of the U.S. government's Web content managers listserv highlights the desire to keep tabs on the motives in play.
A couple of years ago, listerv users, including "From: @USPSOIG.GOV,” wrote about receiving malicious Postal Service emails. The Postal Service IG recipient asked other government Web managers to send similar emails for record-keeping purposes. In reply, listserv user "From: @US.ARMY.MIL" forwarded one such bogus message that he or she received.
The government provided Nextgov with the listserv messages in response to an open records request, after redacting the individuals’ names.
The exchange transpires as follows:
From: @USPSOIG.GOV>
Date: Friday, May 18, 2012 11:00
Subject: Re: [CONTENT-MANAGERS-L] Any USPS members on the list?
To: CONTENT-MANAGERS-L@LISTSERV.GSA.GOV
Hi -
I'm with USPS-OIG.
There are a series of malicious spam, phishing scheme and/or virus
emails going around masked as coming from USPS. I actually
received some myself sent to my Yahoo account.
. . .Can you please send [the message you received] to me and I'll pass it along to our
Hotline? They are keeping a log.
Thanks,
---------------------------------------------
Follow us on http://twitter.com/OIGUSPS
Subject: Re: Any USPS members on the list?
From: @US.ARMY.MIL>
Reply-To:
Date: Fri, 18 May 2012 11:06:23 -0400
I sent the text (without the attachment for obvious reasons) in another email. Sorry that I couldn't see the extension on the file (.zip) originally (obviously a spammer) or I wouldn't have bothered the list.
Meanwhile I am proud of myself for recognizing it and not opening it.
Current USPS inspector general officials tell Nextgov this is not standard modus operandi.
The way they understand it, no one in their office directed the apparent Web manager to collect emails from colleagues governmentwide.
"That's not our practice" to log emails, said Gary Barlet, chief information officer for the USPS IG.
The IG's office sometimes shares dubious emails purporting to be from the USPS with the Postal Service corporate information security officer, but does not save them.
USPS CISO officials said they never received the suspect .zip file.
"We don’t keep track of all spam emails coming into us unless we get over a few hundred of them," or they target agency personnel directly, said Rickey Branning, technical service manager for the USPS CISO.
"Our internal USPS users are trained to send spam messages into the USPS Computer Incident Response Team or move them to a junk mail folder," he said.
If the threat is "internal to us, we provide the message to Symantec," the antivirus firm, to find commonalities among the emails that can be used to detect and stop similar assaults, Branning said.
If the emails are aimed at USPS customers, the agency posts a banner message on USPS.com warning of the spam, he said.
Security measures taken by listserv member "From: @US.ARMY.MIL” could not be confirmed.
"Without more context and the ability to verify this is an Army webmaster or employee, it is difficult to comment,” Army spokeswoman Margaret McBride said. “An army.mil address could be from anyone across the Army or from a retiree or family member."