Like most industries these days, the healthcare industry is no stranger to phishing attacks.
One of the latest involves convincing a recipient that they've received a secure message. While the email comes with a generic-sounding “Business Review” subject line, in actuality, the scam is an attempt to harvest the victim’s credentials, potentially so they can be used as a way for attackers to carry out business email compromise (BEC) attacks in the future.
The Health Sector Cybersecurity Coordination Center, a division of the Department of Health and Human Services that helps to identify, correlate, and communicate cybersecurity information across the Healthcare and Public Health (HPH) sector, warned about the campaign in an alert to healthcare organizations last week.
The scam relies on tricking an individual into opening an attachment, something that in turn directs users to a convincing looking Evernote site. If the user follows through and opens it, they're led to an HTML download - classified as a malicious phishing Trojan by the Health Sector Cybersecurity Coordination Center - that tries to ply the user out of their login, whether its Outlook, IONOS, AOL, or some other email.
While malicious spam and phishing attempts are a dime a dozen these days, what makes this scam interesting is that it's framed around delivering a secure message, something that could make it more convincing to some users, especially as the healthcare industry necessitates secure, HIPAA-compliant communication.
The victim organization logo adorns both the email signature and the fake Evernote page, something that employees may not second guess, either.
The email looks similar to a legitimate Cisco Secure Email Encryption Service email, too. It even contains a link to initiate a new email message, through Cisco's website, and the same text that Cisco Secure Email Encryption Service emails contain: “If you have concerns about the validity of this message, contact the sender directly.”
Defenders will want to pay attention to the indicators of compromise (IOCs) provided in the alert, along with a series of mitigations and workarounds. While many are common sense these days - use unique passwords, don't open emails from senders you don't know, etc. - they could prove valuable for new hires and those just getting started with working with healthcare systems and sensitive data.
While security awareness training has helped better prepare employees and defenders alike from phishing attacks, they're still enormously effective. According to Verizon's 2022 Verizon Data Breach Incident Report (DBIR), 35% of ransomware attacks involved the use of email, proving the technique still one of the most useful avenues that bad actors can use to gain a foothold into an organization.
Paying extra attention to the email's sender along with being wary of opening attachments from senders you don't know can go a long way when it comes to preventing a phishing attack.
Despite being such a data-ripe industry, the Health Sector Cybersecurity Coordination Center has only been around since 2018; plans for the center were born in the wake of 2017's WannaCry ransomware attack.
Over the last few weeks, the Center has really ramped up its alerts to healthcare stakeholders. Since the beginning of the year its warned organizations about security risks associated with cloud services and providers, IoT threats, ransomware – in April it warned of the "exceptionally aggressive" group Hive – and web application attacks.
