On April 8, the NJCCIC discovered several emails sent to New Jersey State employees using a spoofed sender email address impersonating the NJ Office of the Attorney General (OAG). In the observed campaign, communications appeared to be sent from the email address noreply[@]njoag[.]gov; however, the email originated from the hostname slot0[.]bustomshisoa[.]com. Spoofing techniques make phishing emails more difficult to detect as the user must analyze the email headers more closely to determine the true sender. Due to the use of spoofing, the messages in this campaign were blocked as they failed SPF checks and were rejected by DMARC policy.

Additional tactics were used to create a sense of urgency by including the subject line, “Email Security Notification,” and requesting the recipient to confirm their email account. The included link directs the recipient to a webpage containing a login screen with the recipient’s email address already populated and a background image copied from the legitimate NJ OAG website. While the included URL link is not associated with NJ OAG, the branding and seemingly legitimate sender email address could convince a user into entering their account credentials.

What should I do?

The NJCCIC advises against clicking on links in unexpected emails from unverified senders. Users are encouraged to verify that a website is legitimate before entering account information and remain cautious even if messages claim to come from legitimate sources.

If a suspicious email appears to originate from a legitimate sender, confirm its authenticity with the sender via another form of communication. More information on email spoofing can be found in the NJCCIC information report Spotting a Spoofing.

If account credentials are submitted on a fraudulent website, users are advised to change their password, enable multi-factor authentication (MFA), and notify any appropriate IT or IT security personnel. Phishing emails and other malicious cyber activity can be reported to the FBI’s IC3 and the NJCCIC. For any more questions contact us here at Cyber Command.