More than 450 workers at the United States Postal Service (USPS) lost more than $1 million in a direct deposit scam that left postal workers without pay, angry at the USPS for not heeding warnings of the scheme, and the agency scrambling to figure out exactly what happened.
What happened, according to a statement by the USPS quoted in a USA Today article, was the agency was "notified in December about an 'unusual log-in activity involving a limited number of employees.' In reality, cybercriminals had for months lured employees searching for their payroll system with a mirror-image-like website that reportedly tricked hundreds of employees into providing their usernames and passwords. The bad actors then used that information to sign in to the real system and reroute employees’ paychecks."
Jordan Fischer, Partner at Constangy and frequent instructor and speaker for SecureWorld, said the USPS incident shows that attacks are not always sophisticated or technical, and that humans are still the weakest link when it comes to cybersecurity. Fischer said:
"The USPS matter is an example of how challenging it is to remove the human from cybersecurity. This was a not an incredibly technical attack. It was an old-school use of mirrored websites and social engineering to get USPS employees to enter their information into a fraudulent website. A key aspect of any cybersecurity preparedness will continue to be educating your workforce and monitoring spoofs of your business or operations for scams like this. And this is, sadly, an example of why both of those are so critical."
Fischer will be teaching a PLUS training course titled "Operationalizing Privacy Laws into Your Organization" on June 7 as part of the SecureWorld Chicago conference. On June 8, she will lead a panel discussion on "The Future of Privacy and Cyber: AI, Quantum and Mind Readers," joined by Monique Ferraro, Cyber Counsel, HSB Insurance; Karen Painter Randall, Partner and Chair, Cybersecurity Data Privacy and Incident Response, Connell Foley LLP; and Violet Sullivan, VP of Client Engagement, Redpoint Cyber.
We reached out to a few cybersecurity vendor experts for their thoughts on the direct deposit scheme.
Randy Watkins, CTO at Critical Start, said:
"This attack is an unfortunate example of exploitation of lacking foundational security controls. Multi-factor authentication would have likely prevented most, if not all, of these paychecks from being rerouted by preventing the attacker from logging into the employee account. Additionally, anomalous login alerts went uninvestigated by a likely under-resourced security team. Without the budget for additional technology, or the headcount to investigate and respond to alerts, user awareness training can help users recognize phishing emails and spoofed websites."
Teresa Rothaar, Governance, Risk, and Compliance Analyst at Keeper Security, said:
"More than 80 percent of breaches happen because of weak or stolen passwords, credentials and secrets, which is why it's crucial to have robust cybersecurity protections in place. In this case, the bad actors lured their victims to illegitimate websites to steal their login credentials, then used that information to access their accounts through the real payroll website.
The fact that Postal authorities were notified about this issue several months ago, but apparently took no action, is of particular cause for concern.
Bad actors at all levels are tailoring phishing scams, using aesthetic-based tactics such as phony but realistic-looking email templates and malicious websites, to lure victims. Often, innocent people who are not trained on phishing prevention will focus on the 'pinstripes' of the email or illegitimate site, meaning the aesthetics that they are familiar with, such as the logo or colors of their banking site. Cybercriminals spend a lot of time making 'lookalike' sites appear authentic so that users are tricked into entering login credentials.
Using a password manager such as Keeper can help users avoid phony lookalike websites. This is because the password manager won't automatically autofill your credentials if the URL doesn't exactly match the record stored in your vault—making you aware that the site you’re on could be spoofed.
USPS implemented multi-factor authentication (MFA) after the attack, but it was too little, too late. MFA is a critical second layer of security that should always be enabled when available. Authenticator apps, SMS codes, WebAuthn, and security devices such as Passkey or Yubikey are a few of the options available for MFA. This is particularly important for sensitive sites like payroll services, which store personal financial information.
USPS workers should err on the side of caution and assume that all of their work-related (and even personal) passwords have been compromised—especially if they reuse the same passwords across accounts (a big no-no, and this situation illustrates why). We recommend using strong, unique passwords for every website and account. This means passwords that are at least 12 characters long and use a random mixture of upper and lowercase letters, numbers, and special characters. Those passwords should be stored in a password manager to provide easy access while creating another layer of security to protect against bad actors."
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, said:
"This looks like a relatively classic attack on the users where they're duped into providing their credentials to a malicious website, and the attackers then use those credentials to access the real website as the victim. Attacks like this are one of the main reasons multi-factor authentication should be a requirement for any kind of site that deals with finances, medical information, or any other kind of sensitive user data. Even low-grade MFA is better than nothing, while better implementations can prevent the vast majority of this kind of attack. It's actually kind of stunning that such a major government employer as the Postal Service doesn't require it."