I received this email a few days ago to the email address associated with my social security online account. I didn’t dig deep into the sender or where the link would lead me to but knew I should check my social security account and see how it’s looking. I finally had time to look today, brought up this email and, since I trust nothing in any email, looked at where the link would lead me before I’d click on it. Whoa! Thank goodness I did! This email looks quite convincing. The only giveaway that it’s fraudulent is the link and the sender. Here’s a look at the email:
Seeing that it was a phish, I took a look at the headers. I see it was sent from a domain that has a DMARC record but the policy is “none”. While I applaud Gmail and Yahoo in requiring a DMARC policy for emails sent to them, it’s sad that the companies that setup records to comply with this requirement are leaving their policy at “none”. What makes it worse is that the DMARC record doesn’t contain a contact for messages that fail DMARC. This means this domain does not care a whit about security. They only have a record to comply with Yahoo and Gmail. I wonder if they could change their policy so if a sending domain has a “none” policy and no contacts for feedback, the emails can be rejected like they do for those with no DMARC record, because having this setup, you may as well have no DMARC record. Here’s the pertinent section of the email headers:
I loaded up the website in a VM and saw it’s definitely malicious. The only thing it did was start a download of a .exe file. When opened, it went through a setup process for . Here are screenshots of the download and what came up with the file was run.
So, watch out for phishing emails posing as social security statement notifications! It makes me want to see where my social security is sitting right now. How much longer before I can retire?
–Matt