Healthcare Sector Still Sustains Phishing Campaigns

No one should take too seriously the high-minded things criminals sometimes say about how they’re restraining themselves during the pandemic, and that they’re going to avoid hitting hospitals and biomedical research organizations. If anything, attacks on such targets have increased in recent months, and phishing is the usual approach.

The goal of the phishing attacks is financial: the attackers are extortionists. Healthcare organizations are attractive targets for many reasons, among them being the importance of data availability to their work, their relatively deep pockets, and their complicated networks that present a large and varied attack surface. Health IT Security describes four recent and ongoing campaigns that afford good examples of the techniques in use against the healthcare sector.

The first of these involves message quarantine phishing. In this attack, an employee receives a message that spoofs an organization’s email service. The bogus notification says that several emails have failed to “process properly,” and that the recipient should review the quarantined messages to confirm their validity. The prospect of deletion suggests urgency.

“This could potentially lead the employee to believe that the messages could be important to the company and entice the employee to review the held emails,” researchers at Cofence explained. “Potential loss of important documents or emails could make the employee more inclined to interact with this email.” Should the user click, they’re spirited to a login page designed to harvest their credentials.

The second is a zero font attack, which conceals malicious code in ways that serve to evade security controls that would otherwise intercept them before they reached the target’s in-box. Researchers at INKY explained: “Attackers can embed text into their emails that is both invisible to end users and visible — and confusing — to the machines that automatically scan the mail looking for signs of malicious intent or branding. If the software is looking for brand-indicative text like ‘Office 365’, it won’t find a match. This tactic therefore prevents legacy mail protection systems from classifying this mail as appearing to be from Microsoft. Since it doesn’t know it appears to be from Microsoft, it doesn’t require the mail to be from a Microsoft-controlled mail server. So it sails right through, ending up in the victim’s inbox.”

The third campaign involves the venerable Agent Tesla remote access Trojan (RAT). Gangs are actively distributing the RAT in COVID-19-themed phishing emails. It’s commodity malware traded in criminal markets. “Various tiers are available for purchase that provide additional licenses and different functionality,” Area 1 researchers explained. “However, in typical internet fashion, there is a torrent available on Russian websites. For the initial file, the attacker uses a 32-bit Windows executable to ensure that the malware can be executed on common Windows devices. This file is a trojan, appearing as a benign application but containing hidden, malicious functionality. This initial phase determines if it is in a malware analysis environment so the program can decide whether to proceed with the attack or go to sleep.”

And, fourth, there are nation-state actors engaged in similar financially motivated phishing expeditions. The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has warned that North Korean operators continue to use their KONNI RAT against targets in the healthcare sector. Their technique has evolved into more closely tailored spear phishing, with phishbait designed to attract specific individuals. Spearphishing tends to be more persuasive than classic indiscriminate phishing through mass-mailed spam.

While the healthcare sector is currently receiving more than its fair share of attacks, other industries also need to be on their guard. The four techniques Health IT Security described all depend upon social engineering for their success. New school security awareness training can help organizations install a proper, healthy skepticism in their personnel.


Scammers are using Black Lives Matter as Phishbait

phishing campaign is using Black Lives Matter-themed phishing lures to trick people into installing malware, Yahoo reports. Adam Levin from Cyberscout told Yahoo that the phishing emails contain the subject line, “Vote anonymous about ‘Black Lives Matter.’” The email body states, “Leave a review confidentially about ‘Black Lives Matter.’ Claim in attached file.”

The attached file is a Microsoft Word document titled, “e-vote_form_3438.” If the user opens this document, they’ll see a slide telling them to click “Enable Editing” and then “Enable Content” in order to view the content. If these buttons are clicked, the document will be allowed to run a macro that will trigger the malware’s installation process. This is an extremely common tactic, but many people still fall for it.

Levin says the final payload in this campaign is TrickBot. TrickBot is a notorious and versatile commodity banking Trojan that’s used by both criminals and some nation-state actors due to its effectiveness. In addition to stealing passwords and financial information, TrickBot can spread to other computers and download additional malware such as ransomware.

Yahoo notes that since cybercrime is such a profitable industry, these attacks won’t be slowing down anytime soon.

“This particular TrickBot scam may be new, but malware scams are always rampant on the internet,” Yahoo says. “The statistics are staggering: by 2020, the global cost of malware attacks is expected to hit $6 trillion—yes, trillion—according to the cyber experts at Cybersecurity Ventures.”

Attackers always try to exploit hot-button issues and current events to trick people into making poor security decisions. As the US gets closer to its election in November, we can expect to see more scammers trying to take advantage of issues that people feel strongly about. New-school security awareness training can help your employees take a step back and think about what they’re doing, rather than impulsively clicking on a link or downloading a document.


Beware of Fake Forwarded Phishes

There are many specific, heightened challenges of spear phishing emails coming from compromised, trusted third parties. Trusted third-party phishing emails usually come from the legitimate sender’s email account, which is under control of a malicious hacker. The challenges of these types of spear phishing emails were discussed previously

But the risks from a compromised, trusted third-party account don’t always go away when the trusted third party gets cleaned up and the hacker is removed. In fact, the threats from a trusted third-party compromise can last for months to years. The related spear phishing attack called a ‘fake forwarded email’ is an example.

This particular type of phish arrives with subject line and message body text belonging to a previous, genuine conversation held between two legitimate parties. The message text is usually a partial or full conversation from a previously discussed thread, which often happened months to years ago. Even though this type of email usually arrives from a new, illegitimate email address, often times, the receiver’s innate familiarity with the conversation thread makes the receiver accidentally miss the new sender’s email address. It’s what the phisher is hoping for and the whole reason for this type of spear phishing attack.

These types of phishing emails will always include a new request for the receiver, to either visit a particular included URL link or open a file attachment. The message to the sender requesting action is usually something simple and short, such as “Here’s that document you requested” or “This link has the invoice you were asking about.” Many times, the action instruction has nothing to do with the included thread. I’ve often been surprised about how disjointed the request is with the original thread, but the phishers are apparently having some success with them or they wouldn’t keep using them.


All the normal anti-phishing defenses, including good and frequent security awareness training, apply. But it’s important to share these types of phishing attacks with everyone so they know about them. It’s also always important to check the sender’s email address, even if the email seems like part of a continuing thread. It’s one thing to educate and discuss and another to test if people really are looking at the sender’s FROM email address when they get sent a recognizable thread. So, test this scenario as part of your regular simulated phishing campaigns. Pick an organizational-wide email thread that got a lot of traffic and back and forth conversation with lots of participants within the company. Then send it from an external, nearly look-a-like email address and see who falls for it. Real spear “phishermen” seem to think it works.

This is also a great chance to see if your best anti-phishing “champions” who hardly ever get tricked by a real or simulated phishing test do as well on a simulated fake forwarded email. For your champions, pick a more focused email thread that they were personally involved in instead of a company-wide thread. You might have to enlist another recipient you know who frequently corresponds with them.

Fake forwarded emails are one of the most popular types of spear phishing. Don’t let a real one be the first time your users are tested.