Spam & Phishing News

Losses to Phishing Attacks Increased by 76% in 2022

Losses to phishing attacks increased by 76% last year, with almost one-third of companies losing money to successful phishing attacks according to Proofpoint’s recently published 2023 State of the Phish Report. In 2022, more than 4 out of 5 surveyed organizations experienced at least one successful phishing attack, with more than half of those organizations experiencing at least three successful phishing attacks. The data for the report came from a global survey of 7,500 working adults, 1,050 IT security professionals, and the results of more than 135 million simulated phishing emails over 12 months.

Phishing is one of the most commonly used initial access vectors in cyberattacks, commonly leading to costly account compromises, data breaches, and ransomware attacks. Phishing is usually associated with email, but 2022 saw a marked increase in telephone-oriented attack delivery (TOAD). These attacks typically involve emails urging the recipient to call a customer service hotline to resolve a security or account issue. Call centers are established – often in India – and the operators convince victims to install remote access software, install malware, or instruct them to transfer money.  Proofpoint says during peak times, more than 6000,000 TOAD messages were sent per day last year, with message volume averaging between 300,000  and 400,000 per day. TOAD attacks have increased steadily since 2021 due to the success of this technique. Since the initial contact occurs via email with no hyperlinks or attachments, email security solutions fail to quarantine or reject the messages ensuring a high delivery rate.

In response to the move by Microsoft to disable macros in Internet-delivered Office documents and increasing adoption of multi-factor authentication, cyber threat actors have had to get more creative and develop new techniques for malware delivery and phishing methods capable of bypassing MFA are being adopted at scale. Proofpoint reports an increase in MFA bypass by phishing-as-a-service providers, who now offer that capability in their off-the-shelf phishing kits. Rather than directing users to phishing websites, these adversary-in-the-middle attacks allow threat actors to present legitimate websites to victims and capture credentials and MFA codes/session cookies, allowing access to accounts that are protected by MFA. These attacks were conducted at scale in 2022 and pose a significant threat to organizations of all sizes.

The phishing simulation data highlights continued problems in human defenses and a lack of security awareness among employees. Teaching security best practices and training employees how to recognize threats such as phishing can significantly improve security posture and while more organizations are investing in training for employees, only 55% of organizations have a security awareness program for all employees and despite the benefits of conducting phishing simulations, only 35% of organizations use phishing simulations as part of the training process.

Awareness of cyber threats is improving but there is still a long way to go. For instance, 44% of people think emails are safe if they contain familiar branding, and even basic cybersecurity concepts are still poorly understood. One-third of working adults were unable to define malware, phishing, and ransomware, and there has been little change in understanding since 2021. One-third of people took risky actions such as clicking links in emails, opening attachments, or downloading malware, and alarmingly, 63% of the adults surveyed thought links in emails always direct them to the matching website or brand. Poor password practices also persist. 28% of users admit to reusing passwords for multiple work-related accounts, 26% save work passwords in their browsers, 16% manually rotate 1-4 passwords, and only 18% of respondents use a password manager.

The majority of surveyed organizations said they have implemented at least some form of security awareness training, but many are struggling to make those programs effective. 27% of respondents said failure rates to phishing emails have largely remained unchanged, even after conducting security awareness training. That suggests more time and effort needs to be put into training, especially as 80% of organizations admitted to providing only 2 hours or less of training each year. The full findings and recommendations are available in the Proofpoint report.

The post Losses to Phishing Attacks Increased by 76% in 2022 appeared first on HIPAA Journal.

28% BEC Emails are Opened and 15% Get a Reply

Business Email Compromise scams are the biggest cause of losses to cybercrime. Over the past 5 years, more than $43 billion has been lost to the scams, according to the FBI’s Internet Crime Complaint Center (IC3). In its March 2022 report, the FBI said IC3 had received reports of $2.4 billion in losses to BEC attacks in the last year across almost 20,000 reported attacks, and attacks are continuing to increase. According to a new study by Abnormal Security, between H1 and H2 2022, there was an 81% increase in BEC attacks and a 147% increase in BEC attacks on small businesses over that same period. There are no signs of the attacks slowing, and in all likelihood, they will continue to increase.

BEC attacks target human weaknesses. The attackers use social engineering techniques to trick employees into making fraudulent wire transfers, changing bank account information for upcoming vendor payments, changing direct deposit information for employees, purchasing gift cards, and disclosing sensitive data. As with phishing attacks, fear and urgency are used to get employees to respond quickly without verifying the legitimacy of the request. These attacks typically use a compromised email account or the sender is spoofed, and that individual is impersonated. Many employees open these emails and an alarming percentage reply and engage with the scammers.

Email-based attacks, such as BEC, phishing, extortion, scams, and malware continue to increase. According to Abnormal Security, email attack volume increased by 22% overall, rising from an average of 85.13 attacks per 1,000 mailboxes in H1 2022 to 104.04 attacks per 1,000 mailboxes in H2 2022. While the increase in attacks is a cause of concern, more worrying is the number of employees that engage with the attackers and fail to identify and report email threats.

Abnormal Security monitored the email environments of hundreds of organizations between July and December 2022 and found the median open rate for text-based BEC attacks was 28% and the average read rate was 20%. While opening and reading these emails does not necessarily mean that the employee will ultimately be fooled by the scam, on average, 15% of the malicious emails were replied to.

Abnormal Security reports that while only 0.28% of employees engaged with more than one attack, more than one-third of replies were initiated by employees who had previously engaged with a scammer in an earlier attack. This could indicate a lack of training in response to the first attack to the failure of the employees to take their training on board. It is also possible that certain employees are targeted frequently due to their role in the organization, and the more BEC emails an individual receives, the greater the chance that they will eventually mistake an attack for a legitimate email request.

While employees in transportation were the most likely to reply to these attacks, the reply rates were also high in healthcare, which ranked third with a reply rate of 8.22%. Abnormal Security suggests the healthcare industry is particularly susceptible to these types of attacks, as the industry attracts people who have a strong desire to help others and there is often a high turnover rate in hospitals and large health systems, making it more likely that employees would not know their colleagues personally, which makes impersonation much easier.

The study also revealed an alarmingly low reporting rate for these emails. On average, only 2.1% of all known attacks are reported by employees to their security teams, and the majority of messages that are reported to the security team – 84% – are not malicious. The findings of the study highlight the importance of conducting ongoing security awareness training, with a strong emphasis on phishing and BEC attacks. Organizations should also consider conducting phishing and BEC attack simulations, as the data from these simulations indicate that this is one of the most effective ways of training. Organizations should make it as easy as possible for employees to report potential threats and reporting should be encouraged. A mail client add-on that allows single-click reporting of potentially malicious emails should be considered.

As Abnormal Security points out, even with training, employees are likely to make mistakes, so the best defense is to ensure that these malicious emails are blocked and do not land in inboxes, which means upgrading from a traditional email security solution to one that incorporates machine learning/AI algorithms capable of detecting small anomalies in email content.

“Because advanced email attacks like business email compromise and supply chain compromise exploit trusted email accounts and relationships, organizations need email security that can detect even small shifts in activity and content,” explained Abnormal Security in the report. “The most effective email security platforms baseline known-good behavior across employees and vendors, and then detect and remediate malicious emails in milliseconds to prevent end-user engagement.

The post 28% BEC Emails are Opened and 15% Get a Reply appeared first on HIPAA Journal.

Feds Warn of Malicious Use of RMM Software in Callback Phishing Attacks

Cybercriminals are increasingly using legitimate remote monitoring and management (RMM) software in their attacks, according to a recent joint alert from the Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC).

The campaign was first identified in October 2022 and involves callback phishing. The emails used in this campaign are difficult for email security solutions to identify as malicious as they contain no malicious hyperlinks or attachments. The emails notify the recipient about an impending charge and a phone number is provided in the email for the user to call if they want to avoid the charge being applied.

The charges typically relate to a software solution that is coming to the end of a free trial. The user is told that the full price of the software will be charged to the user’s account if no action is taken. Due to the high cost of the software, there is a reasonably high chance that the number will be called. The call is answered and social engineering techniques are used to convince the user to navigate to a malicious domain and download software, which they are told is required to remove the software and prevent the charge. The software connects to a second-stage domain and downloads a portable version of legitimate remote access software such as AnyDesk and ScreenConnect. If executed, the software will connect to the attacker’s RMM server and provide the attacker with access to the user’s device.

The self-contained, portable versions of these remote access solutions do not require an installation, and as such do not require administrator privileges. Organizations may have security controls in place to prohibit the installation of this software on the network, but portable versions will bypass these security controls and will allow the attacker to access the user’s device as a local user. They can then move to other vulnerable machines within the local intranet or establish persistent access as a local user service.  One of the main aims of these attacks is to trick users into logging into their bank accounts to initiate a refund scam. The attackers remain connected while the user accesses their bank account, and the user’s bank account summary is modified to make it appear that an excess amount of money had been refunded. The user was then told to refund the excess to the operator of the scam.

CISA conducted a retrospective analysis of the federal civilian executive branch (FCEB) intrusion detection system (IDS) based on third-party reporting and identified malicious activity on two FCEB networks that had been compromised using this technique. Further analysis identified malicious activity on many other FCEB networks, which the agencies were able to link to a broader financially motivated phishing campaign, related to a typosquatting campaign uncovered by Silent Push that spoofed Amazon, Microsoft, Geek Squad, McAfee, Norton, and PayPal domains. Initially, this campaign involved helpdesk-themed emails that directed users to a website spoofing one of these brands, then they started conducting callback phishing attacks. The campaign has been active since at least June 2022.

While this campaign leverages AnyDesk and ScreenConnect, other types of RMM software could be packaged into self-contained portable executables. These types of attacks are far easier to conduct than creating custom malware that provides remote access and distributing that malware in phishing emails. The federal agencies encourage all FCEB agencies and network defenders at other organizations to review the Indicators of Compromise (IOCs) and mitigations provided in the security alert to protect against the malicious use of RMM software.

The post Feds Warn of Malicious Use of RMM Software in Callback Phishing Attacks appeared first on HIPAA Journal.

HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering

The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.

In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).

In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.

Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.

Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.

According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.

Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.

Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.

Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.

HC3 suggests the following steps to improve defenses against social engineering attacks:

Improving defenses against social engineering in healthcare. Source: HC3

To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.

  • Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
  • Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
  • Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
  • Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
  • Block malicious domains and other indicators associated with campaigns
  • Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
  • Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations

Further information:

HC3 Analyst Note – Vishing Attacks on the Rise

HC3 – Impact of Social Engineering on Healthcare Organizations

The post HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering appeared first on HIPAA Journal.

Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access

Multiple ransomware groups have adopted the BazarCall callback phishing technique to gain initial access to victims’ networks, including threat actors that have targeted the healthcare sector.

BazarCall is a type of callback phishing, where organizations are targeted and sent ‘phishing’ emails that request a call to a telephone number to resolve an important issue. As with standard phishing campaigns, there is urgency – If no action is taken, there will be bad consequences. The telephone number provided is manned by the threat actor, who is well versed in social engineering techniques and will attempt to trick the caller into taking actions that will give the threat actor access to the victims’ network. That action could be to visit a malicious website or download a malicious file.

In the BazarCall campaign, the targeted individual is told in the email that a subscription or free trial is coming to an end and it will auto-renew at a cost. In order to cancel the subscription, the user must call the number provided. If the call is made, the threat actor will attempt to get the user to initiate a Zoho Remote Desktop Control session, which it is claimed is necessary to cancel the subscription. Zoho is legitimate business software; however, in this case, it is used for malicious purposes. While the user converses with the threat actor that answers the call, a second member of the team will use the remote access session to silently weaponize legitimate tools that can be used for an extensive compromise of the victim’s network.

BazarCall was first utilized by the Ryuk ransomware operation in 2020/2021. Ryuk was disbanded and reformed as Conti, and both were prolific ransomware-as-a-service operations. The campaigns were identified by security researchers at AdvIntel, who have tied the campaigns to three cybercriminal groups that broke away from the Conti ransomware operation before it shut down.

According to AdvIntel, BazarCall started to be used by the Conti ransomware gang in March 2022, and in April, a new ransomware group – Silent Ransom – broke away from the Conti operation and adopted the BazarCall technique for initial access. The technique was refined and a second threat group – Quantum – broke away from Conti and started using its own version of BazarCall. In June, a third group – Roy/Zeon – broke away from Conti and started using its own version of BazarCall.

Each threat group impersonates different companies in the initial emails, such as Duolingo, MasterClass, Oracle, HelloFresh, CrowdStrike, RemotePC, Standard Notes, and many more. The lures used vary but generally relate to an upcoming payment due to the end of a subscription or trial period, with the brands impersonated related to the industry being targeted.

AdvIntel says that while the Silent Ransom group was the first threat group to resurrect the BazarCall phishing tactic, seeing the success, efficiency, and targeting capabilities of the tactic, other threat groups have begun using the reversed phishing campaign as a base and developing the attack vector into their own. “This trend is likely to continue: As threat actors have realized the potentialities of weaponized social engineering tactics, it is likely that these phishing operations will only continue to become more elaborate, detailed, and difficult to parse from legitimate communications as time goes on,” warn the researchers.

Defending against callback phishing emails can be difficult to the lack of malicious content in the initial phishing emails, which means they are unlikely to be flagged as malicious by email security solutions. The best defense to prevent the attacks is to ensure that callback phishing is covered in security awareness training and to include examples of callback phishing in internal phishing simulations.

The post Ransomware Gangs Adopt Callback Phishing Techniques for Gaining Initial Network Access appeared first on HIPAA Journal.

Healthcare Providers Targeted in Evernote Phishing Campaign

A malicious phishing campaign has been identified that is targeting healthcare providers. The emails have an Evernote-themed lure to trick recipients into downloading a Trojan file that generates a login prompt to steal credentials.

The Health Information Cybersecurity Coordination Center (HC3) has recently issued an alert about the campaign which has targeted several healthcare providers in the United States.  Malicious emails are sent to targeted organizations that contain a malicious link to an Evernote-themed website. The emails are personalized and the lures used in the phishing emails may vary; however, the emails seen by HC3 have the subject line “[Organization Name] [Date] Business Review” and have a Secure Message theme.

Evernote Phishing Campaign

Evernote Phishing Campaign. Source: HC3

The link included in the email directs the user to the Evernote site, where they are prompted to download an HTML file – called message (3).html. The file includes JavaScript code that renders an Adobe or Microsoft-themed page that attempts to harvest Outlook, IONOS, AOL, or other credentials.

The credentials obtained in phishing campaigns such as this can give cyber threat actors access to email accounts, which can contain significant amounts of sensitive data, including protected health information. Compromised email accounts can be used to conduct phishing attacks internally and can give threat actors the foothold they need to conduct more extensive attacks on the organization. Many ransomware attacks start with phishing emails.

Protecting against phishing attacks requires a combination of measures, including email security solutions for blocking phishing emails, web filters for preventing access to malicious websites where malware is downloaded, and antivirus software for identifying Trojans and other malicious code. It is also important to provide regular security awareness training to the workforce on the risks of phishing and train employees on how to recognize phishing emails.

Further information on this phishing campaign, along with other recommended mitigations, can be found in the HC3 security alert.

The post Healthcare Providers Targeted in Evernote Phishing Campaign appeared first on HIPAA Journal.

The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000

The Methodist Hospitals Inc. has agreed to settle a class action lawsuit and has created a fund of $425,000 to cover claims from victims of a 2019 data breach that affected almost 70,000 current and former patients.

The Gary, IN-based healthcare provider reported an email security incident to the HHS’ Office for Civil Rights on April 4, 2019, that resulted in the exposure and potential theft of the protected health information of 68,039 patients. The investigation confirmed hackers gained access to two employee email accounts between March 13, 2019, and July 8, 2019, following responses to phishing emails and potentially exfiltrated patient information such as names, addresses, birth dates, Social Security numbers, driver’s license numbers, Medicare/Medicaid numbers, usernames, passwords, treatment and diagnosis information, and payment card information.

A lawsuit – Jones v. The Methodist Hospitals, Inc. – was filed in the Harris County District Court in Texas in the wake of the data breach that alleged The Methodist Hospitals was negligent for failing to adequately protect the protected health information of patients. Plaintiffs James Jones and Samantha L. Gordon, and members of the class allegedly suffered harm as a result of the data breach.

The Methodist Hospitals denied any wrongdoing and the OCR investigation was closed with no action taken; however, the decision was taken to settle the lawsuit to avoid further legal costs and the uncertainty of trial.

Under the terms of the settlement, eligible class members are entitled to submit a claim for two additional years of credit monitoring and identity theft resolution services, reimbursement for economic losses, and reimbursement for time lost due to the data breach. Claims for reimbursement of documented economic losses of up to $3,000 can be submitted and/or claims of up to $300 can be submitted for reimbursement of lost time. Final approval of the settlement was received on June 13, 2022. Claims must be submitted by October 6, 2022.

The post The Methodist Hospitals Settles Class Action Data Breach Lawsuit for $425,000 appeared first on HIPAA Journal.

Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign

Microsoft has warned of a large-scale phishing campaign targeting Office 365 credentials that bypasses multi-factor authentication (MFA). The campaign is ongoing and more than 10,000 organizations have been targeted by scammers in the past 10 months.

Microsoft reports that one of the phishing runs used emails with HTML file attachments, with the email telling the user about a Microsoft voicemail message that had been received. The HTML file had to be opened to download the message. The HTML file serves as a gatekeeper, ensuring the targeted user was arriving at the URL from a redirect from the original attachment.

The user is redirected to a website that hosts a popular open source phishing kit, which is used to harvest credentials. The user is told that they need to sign in to their Microsoft account to receive the voicemail message and after sign in an email will be sent to the user’s mailbox within an hour with the MP3 voicemail message attached. The user’s email address is auto-filled into the login window and the user only needs to enter their password.

This campaign is referred to as an adversary-in-the-middle (AiTM) phishing attack, as the phishing site sites between the targeted user and the genuine resource they are attempting to log into. Two different Transport Layer Security (TLS) sessions are used, one between the user and the attacker and another between the attacker and the genuine resource.

When credentials are entered on the attacker-controlled site, they are passed to the genuine resource. The response from the genuine resource is passed to the attacker, which is then relayed to the user. In addition to harvesting credentials, session cookies are stolen. The session cookie is injected into the browser to skip the authentication process, which still works even if multi-factor authentication is enabled. The phishing kit automates the entire process.

Source: Microsoft

Once the attacker has access to the user’s Office 365 email, the messages in the account are read to identify potential targets for the next phase of the attack. The attacker then sets up mailbox rules that mark certain messages as read and moves them to the archive folder to prevent the user from detecting their mailbox has been compromised. A business email compromise (BEC) scam is then conducted on the targets.

Message threads are hijacked, and the attacker inserts their own content to attempt to get the targeted individual to make a fraudulent wire transfer to an account under the control of the attacker. Since the emails are replies to previous communications, the recipient is likely to believe they are in a genuine conversation with the account owner, when they are only communicating with the attacker.

Microsoft said it takes as little as five minutes from the theft of credentials and session cookies for the first BEC email to be sent. With all replies to the request being automatically sent to the archive, the attacker can simply check the archive for any replies and does so every few hours. They are also able to identify any further potential targets to conduct BEC scams on. While the account compromise is automated, the BEC attacks appear to be conducted manually. Any emails sent or received are manually deleted from the archive folder and sent folder to avoid detection. BEC attacks such as this can involve fraudulent transfers of thousands or even millions of dollars.

Defending against these attacks requires advanced email security solutions that scan inbound and outbound emails and can also block access to malicious websites – an email security solution and a DNS filter for instance. Microsoft also recommends implementing conditional access policies that restrict account access to specific devices or IP addresses. Microsoft also recommends continuously monitoring emails for suspicious or anomalous activities, such as sign-in attempts with suspicious characteristics.

With respect to the MFA bypass, Microsoft stresses that while AiTM attacks can bypass MFA, MFA remains an important security measure and is effective at blocking many threats. Microsoft suggests making MFA implementations “phish-resistant” by using solutions that support Fast ID Online (FIDO) v2.0 and certificate-based authentication.

The post Over 10,000 Organizations Targeted in Ongoing MFA-Bypassing Phishing and BEC Campaign appeared first on HIPAA Journal.

Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms

A recent data breach at the email marketing platform vendor Mailchimp has prompted a warning from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center (HC3) about the risk of phishing attacks using the platform.

The breach came to light when the cryptocurrency hardware wallet provider, Trezor, investigated a phishing campaign targeting its customers that used the email addresses registered to Trezor accounts, which uncovered a data breach at Mailchimp.

Mailchimp’s investigation confirmed that threat actors had successfully compromised internal accounts of its customer support and account administration teams, and while those accounts have now been secured, the attackers were able to gain access to the accounts of 300 Mailchimp users and were able to extract audience data from 102 of those accounts. API keys were also obtained by the attackers that allow them to create email campaigns for use in phishing attacks without having to access customer portals.

Since accounts used by Mailchimp customers to send marketing campaigns such as newsletters may be whitelisted by subscribers, any phishing campaigns conducted using the compromised accounts may see the emails delivered to inboxes. HC3 says it is only aware of one phishing campaign being conducted using a compromised account, which targeted users in the cryptocurrency and financial sectors, but there is a risk that campaigns could also be conducted targeting users in the healthcare and public health (HPH) sector.

HC3 has recommended organizations in the HPH sector take steps to mitigate the threat. HC3 says the best defense is user awareness training since phishing emails will come from a legitimate and trusted sender. Employees should be made aware of the threat and be instructed to be wary of any emails sent via Mailchimp. While phishing emails could be sent, malware may also be delivered. Antivirus software should be implemented, network intrusion prevention systems are beneficial, and HC3 also suggests using web filters to restrict access to web content that is not necessary for business operations.

Anti-spoofing and other email authentication mechanisms are also recommended. These include performing validity checks of the sender domain using SPK, checking the integrity of messages using DKIM, and checking to make sure the sender is authorized to use the domain using DMARC.

The post Warning Issued About Phishing Campaigns Involving Legitimate Email Marketing Platforms appeared first on HIPAA Journal.