Threat Intelligence Blog

Posted July 22, 2011

A targeted scam or “Spear Phishing” attack making the rounds today invokes the National Security Agency and takes advantage of recent news about a hack of RSA’s two-factor security tokens. Cyveillance has now captured examples and reports of several variants of this email, most sent under the subject lines “Token Code Update” or “Security Token Update”. The message outlines a “critical vulnerability” in security tokens, and attempts to get users to click a link to what most likely was an executable download to infect their machine or network.

NSA Scam Email

The sender name is spoofed to appear to come from “” and the links go to, a domain that was just registered yesterday. This attack is a perfect example of how deeply spear-phishers understand the psychology of social engineering users. It invokes the authority of a respected and mysterious government agency, it uses fear of being hacked or getting “in trouble” at work to prompt action, and it takes advantage of current events in the form of the widely reported (i.e. verifiable fact) and recent RSA token hack. This is a potent cocktail of logic, emotion and authority to manipulate the user into a desired action, and is typical of today’s advanced Phishers.

Here are some of the tips that can help you spot scams like this one:

  • Supposed needs for patches, security updates and vulnerability fixes are a favorite technique of scammers and phishers. Even if the message appears to come from someone in your own company, treat all such requests as suspicious and verify with your IT team by voice or fresh email to the actual IT person who supports you.
  • Treat ANY email that tells you to download something as malicious until proven otherwise. Again, contact your IT team before installing anything on your system.
  • Hover (but do NOT click) your mouse over all links in the email. The true destination of the link will pop up next to your mouse pointer. If you’ve never heard of the site, treat it as dangerous. Does the site in the link address match the site in the sender’s email address? If it does not, be suspicious. Is the pop up destination different from the URL shown in the visible text of the email, what we call a bait-and-switch link? If so, this is a major warning.
  • Finally, any link that ends in .zip or .exe should be treated as extremely hazardous and not clicked on.

Additional Posts

Canadian Online Pharmacy, Meet Mexican Online Pharmacy

This week the Department of Justice announced that Google will forfeit $500M for "allowing online ...

A Five-Point Plan for Social Network Usage

If there’s any message you should take away about utilizing social media in a secure manner, it ...