Spam News

Survey Confirms Increase in Phishing and Email Impersonation Attacks

The COVID-19 pandemic has seen an increase in email impersonation attacks on businesses, according to the latest State of Email Security report from Mimecast. In the first 100 days of 2020, email impersonation attacks increased by 30%.

The report was based on a survey conducted on behalf of Mimecast by Vanson Bourne on 1,025 IT decision makers in the U.S., UK, Germany, Netherlands, Australia, South Africa, United Arab Emirates (UAE), and Saudi Arabia between February and March 2020, while businesses were battling the COVID-19 pandemic. Mimecast also analyzed more than 1 billion emails screened by the company’s email security solutions.

60% of respondents to the survey reported an increase in email impersonation attacks such as business email compromise (BEC) over the past 12 months. There were an average of 9 email or web spoofing incidents detected by respondents in the past year, although there may be many others that they did not identify.

DMARC is important for protecting against email impersonation attacks and preventing brand damage. While 97% of respondents were aware of DMARC, worryingly, only 27% of respondents said they use it.

Ransomware continues to be a problem for businesses. 51% of respondents said ransomware had impacted their business in the past 12 months, with the attacks causing an average of 3 days of downtime.

58% of respondents said there had been an increase in phishing attacks over the past 12 months. 72% of respondents said the level of phishing had stayed the same or had increased, compared to 69% when the survey was last conducted in 2019.

IT decision makers do not hold out much hope that the situation will improve. 85% of respondents said they thought email and web-based spoofing attacks will either continue at the same level or increase over the next 12 months. There is also not a great deal of confidence about repelling these attacks. 60% said it is either inevitable or likely that they will experience an email-related data breach.

The relatively bleak outlook may have been influenced by the changes that have had to be made to working practices as a result of the pandemic. Transitioning from a largely office-based workforce to one that is almost entirely home based has introduced new risks and has made it harder for IT security teams to repel attacks.

Even though there is a high risk of experiencing an attack, there is still a lack of cyber resilience preparedness, and the value of regular security awareness training for the workforce does not appear to be appreciated. Despite the risk of phishing, spear phishing, and other email-based attacks, 55% of respondents said they do not provide security awareness training to the workforce on a regular basis and 17% said they only provide security awareness training once a year.

The attacks are proving costly to businesses. 31% of respondents said they experienced data loss and business interruption as a result of an email attack, and 29% said they experienced downtime as a result of a lack of preparedness.

The report also shows that email security defenses are lacking at many businesses. 40% do not have a system for monitoring and protecting against email-based attacks or data leaks in internal emails, 39% do not monitor or protect against email-based malware, and 42% do not have a system that automatically removes malicious or unwanted emails from employee’s inboxes.

The survey revealed businesses are aware of the importance of having a cyber resilience strategy. In 2019, 75% of respondents said they either had or were rolling out such a strategy. The percentage increased to 77% this year. Considering the number of respondents that have experienced data loss, downtime, and drops in productivity due to email attacks, those strategies cannot be implemented too soon.

The post Survey Confirms Increase in Phishing and Email Impersonation Attacks appeared first on HIPAA Journal.

Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign

A phishing campaign has been identified that uses fake VPN alerts as a lure to get remote workers to divulge their Office 365 credentials.

Healthcare providers have increased their telehealth services during the COVID-19 public health emergency in an effort to help prevent the spread of COVID-19 and ensure that healthcare services can continue to be provided to patients who are self-isolating at home.

Virtual private networks (VPNs) are used to support telehealth services and provide secure access the network and patient data. Several vulnerabilities have been identified in VPNs which are being exploited by threat actors to gain access to corporate networks to steal sensitive data and deploy malware and ransomware. It is therefore essential for VPN systems to be patched promptly and for VPN clients on employee laptops to be updated. Employees may therefore be used to updating their VPN.

Researchers at Abnormal Security have identified a phishing campaign that impersonates a user’s organization and claims there is a problem with the VPN configuration that must be addressed to allow the user to continue to use the VPN to access the network.

The emails appear to have been sent by the IT Support team and include a hyperlink that must be clicked to install the update. The user is told in the email that they will be required to supply their username and password to login to perform the update.

This campaign targets specific organizations and spoofs an internal email to make it appear that the email has been sent from a trusted domain. The hyperlink has anchor text related to the user’s organization to hide the true destination URL to make it appear legitimate. If the user clicks the hyperlink in the email, they will be directed to a website with a realistic Office 365 login prompt. The phishing webpage is hosted on a legitimate Microsoft .NET platform so has a valid security certificate.

Fake VPN Alert Phishing

Source: Abnormal Security

Login credentials entered on the site will be captured by the attacker and can be used to access the individual’s Office 365 email account and obtain sensitive data in emails and attachments, as well as other data accessible using the Office 365 credentials through single sign-on.

Abnormal Security has found a variety of phishing emails that use variations of this message, which have been sent from several different IP addresses. Since the destination phishing URL is the same in each email, it suggests that the emails are part of the same campaign and have been sent by a single attacker.

The post Fake VPN Alerts Used as Lure in Office 365 Credential Phishing Campaign appeared first on HIPAA Journal.

Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis

Cybercriminals have changed their tactics, techniques, and procedures during the COVID-19 health crisis and have been targeting remote workers using COVID-19 themed lures in their phishing campaigns. There has also been a sharp increase in the number of phishing attacks targeting users of mobile devices such as smartphones and tablets, according to a recent report from mobile security company Lookout.

Globally, mobile phishing attacks on corporate users increased by 37% from Q4, 2019 to the end of Q1, 2020 with an even bigger increase in North America, where mobile phishing attacks increased by 66.3%, according to data obtained from users of Lookout’s mobile security software. Phishers have also been targeting remote workers in specific industry sectors such as healthcare and the financial services.

While the sharp increase in mobile phishing attacks has been attributed to the change in working practices due to the COVID-19 pandemic, there has been a steady rise in mobile phishing attacks over the past few quarters. Phishing attacks on mobile device users tend to have a higher success rate, as users are more likely to click links than when using a laptop or desktop as the phishing URLs are harder to identify as malicious on smaller screen sizes.

While the full URL is likely to be displayed on a laptop computer or desktop, a mobile device will only display the last section of the URL, which can be crafted to make the URL appear genuine on mobile devices. When working from home, employees are more likely to resort to using their mobile to perform tasks to stay productive, suggests Lookout, especially employees that do not have a large screen or multiple monitors at home as they do in the office.

Mobile devices typically lack the same level of security as laptops and office computers, making it less likely that phishing messages will be blocked. There are also more ways that phishing URLs can be delivered to mobile devices than laptops and desktops. On a desktop, phishing URLs will mostly be delivered via email, but on mobile devices they can easily be delivered via email, SMS, messaging apps, and social media and dating apps. There is also a tendency for mobile users to act faster and not stop and think about whether a request is legitimate, even though they may be particularly careful on a laptop or desktop.

The rise in phishing attacks targeting mobile users is a security concern and one that should be addressed by employers through education efforts and security awareness training, especially with remote workers. Phishing awareness training should cover the risk of mobile phishing attacks and explain how URLs can be previewed on mobile devices and other steps that should be taken to verify the validity of requests.

“If the message appears to come from someone you recognize but seems like a strange ask or takes you to a strange site, get in contact with that person directly and validate the communication,” said Hank Schless, senior manager of security solutions at Lookout. “In a time of remote work, it’s even more important to validate any sort of strange communication.”

Education alone may not be sufficient. Security software should also be used on mobile devices to better protect end users from phishing and malware attacks.

The post Mobile Phishing Attacks Have Surged During the COVID-19 Health Crisis appeared first on HIPAA Journal.

Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers

Business email compromise scammers operating out of Nigeria have been targeting government healthcare agencies, COVID-19 research organizations, and pandemic response organizations to obtain fraudulent wire transfer payments and spread malware.

The attacks were detected by Palo Alto Networks’ Unit 42 team researchers and have been attributed to a cybercriminal organization called SilverTerrier. SilverTerrier actors have been highly active over the past 12 months and are known to have conducted at least 2.1 million BEC attacks since the Unit 42 team started tracking their activity in 2014. In 2019, the group conducted an average of 92,739 attacks per month, with activity peaking in June when 245,637 attacks were conducted.

The gang has been observed exploiting the CVE-2017-11882 vulnerability in Microsoft Office to install malware, but most commonly uses spear phishing emails targeting individuals in the finance department. The gang uses standard phishing lures such as fake invoices and payment advice notifications to trick recipients into opening malicious email attachments that install malware. A wide range of malware variants have been used by the gang, including information stealers such as Lokibot, Pony, and PredatorPain and remote administration tools to maintain persistent access to compromised systems. The gangs use malware to steal sensitive information and gain access to bank accounts and payroll systems. BEC attacks are also conducted to obtain fraudulent wire transfer payments.

Unit 42 researchers have tracked the activity of three threat actors from the group over the past 3 months who, between them, have conducted 10 COVID-19 themed malware campaigns on organizations involved in the national response to COVID-19 in Australia, Canada, Italy, the United Kingdom, and the United States.

Recent targets have included government healthcare agencies, local and regional governments, medical publishing companies, research firms, insurance companies, and universities with medical programs and medical centers. 170 distinct phishing emails have been identified by the researchers, several of which related to supplies of face masks and other personal protective equipment.

SilverTerrier attacks increased by 172% in 2019 and Palo Alto Networks reports there is no indication that the attacks will slow in 2020. “In light of this trend, we encourage government agencies, healthcare and insurance organisations, public utilities, and universities with medical programs to apply extra scrutiny to Covid-19-related emails containing attachments,” said the researchers. Since the attacks are mostly conducted by email, the best defense is training for staff to help them identify spear phishing emails and an advanced spam filtering solution to prevent the emails from being delivered to inboxes. It is also important to check to make sure that the CVE-2017-11882 Microsoft Office vulnerability and to continue to apply patches promptly.

 

The post Government Healthcare Agencies and COVID-19 Research Organizations Targeted by Nigerian BEC Scammers appeared first on HIPAA Journal.

PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks

Aurora Medical Center-Bay Area in Marinette, WI is notifying 27,137 patients that some of their protected health information has been exposed as a result of a January 1, 2020 phishing attack.

Several employees responded to the messages and disclosed their email account credentials, which gave the attackers access to their email accounts. The breach was discovered by the medical center on January 9, 2020. A password reset was immediately performed to prevent any further account access and the security breach was reported to law enforcement.

An internal investigation was launched to determine what information was accessed by the attackers, which revealed emails and attachments in the accounts contained the protected health information of patients. Aurora Medical Center has not received any reports indicating there has been any misuse of patient information, but it was not possible to rule out data theft.

A review of the emails in the accounts revealed they contained a range of PHI. The information varied from patient to patient and may have included names, first and last names, maiden name, marital status, date of birth, address, email address, telephone number, Social Security number, Medical record number, driver’s license number, medical device number, passport number, bank account number, health insurance account number, full face photograph, admission date, discharge date, and treatment date.

Steps have been taken to improve email security and employees have been provided with further security awareness training to help them identify phishing emails.

University of Pittsburg Medical Center Altoona Phishing Attack Reported

UPMC Altoona has discovered an unauthorized individual has gained access to the email account of one of its physicians and potentially viewed or obtained the PHI of some of its patients. The phishing attack was detected on February 13, 2020, shortly after the email account was compromised.

The attacker used the account to send further phishing emails. The investigation did not uncover evidence of data theft, but unauthorized PHI access could not be ruled out.

A forensic investigation revealed the email account contained patient information such as demographic information and limited clinical information. No Social Security numbers, financial information, or health insurance details were exposed.

Notification letters were sent to affected individuals on April 10, 2020. The Office for Civil Rights breach portal indicates up to 13,911 patients have been affected by the phishing attack.

The post PHI of 41,000 Patients Exposed in Aurora Medical Center and UPMC Altoona Phishing Attacks appeared first on HIPAA Journal.

Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment

The Federal Bureau of Investigation (FBI) has issued a warning that cybercriminals are attempting to steal money from state agencies and healthcare industry buyers that are trying to purchase personal protective equipment (PPE) and medical supplies.

Healthcare industry buyers have been told to be on high alert following a rise in the number of scams related to the procurement of PPE and essential medical equipment such as ventilators, which are in short supply due to increased demand.

The FBI has received reports of several cases of advance fee scams, where government agencies and healthcare industry buyers have wired funds to brokers and sellers of PPE and medical equipment, only to discover the suppliers were fake.

There have also been several reported cases of business email compromise (BEC) scams related to PPE and medical equipment procurement. In these scams, brokers and vendors of goods and services are impersonated. The scammers use email addresses that are nearly identical to the legitimate broker or seller and request wire transfer payments for the goods and services. The scams are often only detected after the money has been transferred and withdrawn from the accounts.

The FBI cites one case where an individual was duped by a scammer into wire transferring funds to an entity that claimed to have an existing business relationship with the purchasing agency. When the potential scam was uncovered, the funds had already been transferred beyond the reach of U.S law enforcement and could not be recovered.

Prepayment for goods such as PPE and ventilators is commonplace, but it increases risk of being defrauded and, in many cases, prepayment for goods eliminates potential recourse.

Healthcare equipment buyers should be wary of the following signs of a potential scam:

  • Contact is initiated by a broker or seller of medical equipment or PPE, often through a channel that makes verification of the legitimacy of the seller or broker difficult. I.e. initial contact comes from a personal email address or the offer is received over the phone.
  • The origin of the equipment is not clearly explained, including how the broker or vendor has secured a supply given the current high level of demand.
  • It is not possible to verify with the manufacturer of the goods that the person offering them for sale is a legitimate vendor or distributor of the product, or it is not possible to verify a legitimate supply chain.
  • Any unexplained urgency for payment or last-minute changes to previously used payment methods.

Any contact made by a vendor or broker who claims to have a business relationship with an existing supplier should be verified through previously established communication channels to verify the legitimacy of the relationship.

If contact is made by a known or trusted vendor, carefully check the contact information and email address to make sure it is legitimate. Look out for transposed letters and misspellings in email addresses.

Where possible, arrange for an independent third party to verify that the items being offered for sale are physically present, and of the correct make, model, and type and take delivery immediately when payment is made. If not possible, ensure payment is made through a domestic escrow account which will only release funds when the goods are received and verified to be correct.

The post Scammers Target Healthcare Buyers Trying to Purchase PPE and Medical Equipment appeared first on HIPAA Journal.

90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year

A recently published study conducted by HIMSS Media on behalf of Mimecast has revealed 90% of healthcare organizations have experienced at least one email-based threat in the past 12 months. 72% have experienced downtime as a result and one in four said the attack was very or extremely disruptive.

Healthcare organizations are a major target for cybercriminals. They hold large quantities of personal and health information that can be used for many fraudulent purposes, email-based attacks are easy to perform and require little technical skill, and they often give a high return on investment. Healthcare email security defenses also lag behind other industry sectors and security awareness training is often overlooked.

The study was conducted in November 2019 on 101 individuals that had significant involvement with email security at hospitals and health systems in the United States. 3 out of 4 respondents said they have or are in the process of rolling out a comprehensive cyber resilience program, but only 56% of respondents said they already have such a strategy in place. When asked about their current email security deployments, only half had a high level of confidence that their email security measures would block email-based threats.

When asked about the email threats they had experienced and which were the most disruptive, 61% of respondents said impersonation of trusted vendors were very or extremely disruptive, 57% rated credential-harvesting phishing attacks very or extremely disruptive, and 35% said data leaks and threats initiated by cybercriminals stealing users’ log-in credentials were very or extremely disruptive. The main losses caused by the attacks were productivity (55%), data (34%) and financial (17%).

Email security solutions can block the majority of threats, yet only 79% of respondents said that had email security controls in place or were planning to introduce them. Internet and web protection measures had only been implemented by 64% of surveyed healthcare organizations.

These technical solutions are important, but it is important not to forget the human element. Only 73% of surveyed organizations believed security awareness training was an essential part of their defenses against email-borne cyberattacks. This can partly be explained by the way that training is provided. 40% of respondents said they provide security awareness training less than quarterly and 27% only provide training once a year.

“Organizations are better off doing five minutes of training once a month, instead of 15 minutes of training once a quarter,” said Matthew Gardiner, director of enterprise security at Mimecast. “Even though it’s the same amount of time, it’s better to do the training more often so the information stays top of mind.”

It is alarming considering the number of email-based attacks that 11% of respondents said they conduct security awareness training less frequently than once a year, only during onboarding, or only after a major event such as a phishing attack or data breach.

“To better prepare, information technology and security professionals must strengthen their email security programs by combining the best technical controls with knowledgeable staff and resilient business processes to avoid disruption from email-borne attacks,” said Gardiner.

The post 90% of Healthcare Organizations Have Experienced an Email-Based Attack in the Past Year appeared first on HIPAA Journal.

Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign

Researchers at Proofpoint have identified a new phishing campaign targeting healthcare providers, insurance firms and pharmaceutical companies. The intercepted emails impersonate Vanderbilt University Medical Center and claim to include the results of a recent HIV test.

The emails have the subject line “Test result of medical analysis” and include an Excel spreadsheet attachment – named TestResult.xlsb – which the recipient must open to view the HIV test results. When the spreadsheet is opened, the user is advised the data is protected. To view the test result it is necessary to enable content. If content is enabled and macros are allowed to run, malware will be downloaded onto the user’s computer.

This is a relatively small-scale campaign being used to distribute the Koadic RAT, a program used by network defenders and pen testers to take control of a system. According to Proofpoint, Koadic is popular with nation state-backed hacking groups in Russia, China, and Iran. Koadic allows attackers to take control of a computer, install and run programs, and steal sensitive personal and financial data.

Proofpoint has also intercepted several Coronavirus-themed phishing emails in the past few weeks that are being used to distribute a range of malware variants including the Emotet Trojan, AZORult information stealer, the AgentTesla keylogger, and the NanoCore RAT. Several campaigns have been identified that use fake DocuSign, Office 365, and Adobe websites for harvesting credentials.

Several coronavirus-themed phishing lures have been identified. Many claim to offer further information about local COVID-19 cases or claim to include important information to prevent infection. One campaign claimed there was a vaccine and a cure for COVID-19 and it was being withheld by the government. Some of the phishing emails are extremely well written and are highly convincing and impersonate authorities on COVID-19 such as the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC).

Researchers at Checkpoint have been tracking coronavirus-themed domains and report more than 4,000 new coronavirus-themed domains have been registered since January 2020. 5% of those domains are suspicious and 3% have been confirmed as malicious and are being used in phishing campaigns or for malware distribution.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links, explained Proofpoint. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

The post Healthcare and Pharma Companies Targeted in HIV Test Phishing Campaign appeared first on HIPAA Journal.

New Report Reveals the Brands Most Impersonated by Phishers

A new report from Vade Secure has revealed the top 25 most impersonated brands in phishing attacks. The Q4, 2019 Phishers’ Favorite report confirmed PayPal is still the brand most commonly impersonated in phishing attacks, with 11,392 detected phishing URLs in Q4. This is the second successive quarter that PayPal has topped the list. PayPal phishing URL detections are up 23% year-over-year and new PayPal phishing URLs are now being detected at a rate of 124 a day.

There was an increase in phishing URL detections impersonating Facebook, which saw the social media giant leapfrog Microsoft (3rd) and Netflix (4th) into 2nd place. Facebook phishing URL detections are up 358.8% on Q4, 2018.

Microsoft may be in third place overall, but it is the most commonly impersonated brand in corporate phishing attacks. Microsoft now has more than 200 million active Office 365 business users and those users are targeted to gain access to their Office 365 credentials. Office 365 accounts can contain a wealth of sensitive information and can be used to conduct spear phishing attacks on partners and other employees within the organization.

One of the most notable changes in Q4 was a massive increase in phishing URLs impersonating WhatsApp, which saw the Microsoft-owned instant messaging service jump 63 places to position 5. The 5,020 detected phishing URLs in Q4 represent a 13,467.6% increase compared to Q3, 2019.

The WhatsApp phishing URL detections were the main reason why the percentage share of phishing URLs for social media brands increased from 13.1% in Q3 to 24.1% in Q4. The top ten was rounded out with Bank of America in 6th position, followed by CIBC, Desjardins, Apple and Amazon. There was also a sizeable increase in phishing URLs impersonating Instagram, which saw 187.1% growth in Q4.

Organizations in the financial services were the most impersonated in Q4 for the second successive quarter. While phishers do impersonate big banks, Vade Secure notes phishers are now favoring smaller financial institutions, which may not have such robust security controls in place to detect brand impersonation.

Vade Secure says there was a significant increase in phishing attacks impersonating note services such as OneNote and Evernote, along with increases in fake OneDrive and SharePoint notifications that lead to webpages hosting phishing kits.

The post New Report Reveals the Brands Most Impersonated by Phishers appeared first on HIPAA Journal.