Tuesday, March 17, 2020

Amidst All the Health Scares in the News Currently, Scammers Now Use False Health Reports to Steal Individuals Data



As we all know, the current news climate is wrought with scary stories and many, many individuals are worried about potential threats from the Covid-19 infection among other things.

As I’ve written before, the best way to break into systems is not through the systems themselves, but through the human beings that are gatekeepers of those systems.  The human being is  always the weakest link in the security chain.  That’s not because people lack intelligence, no, it’s because they can be convinced to give things up in order to help another human being.  The other way to coerce people is to apply some type of psychological pressure… a feeling of impending doom if they do not immediately do something.  When we are under stress and reacting while in a panic we often do not make the best choices.  That’s a scientific fact.

Scammers are taking advantage of this by using the current climate of fear mingled with healthcare to try and create panic in individuals who will then click links they wouldn’t if they were in a rational state of mind.  Basically the hackers use fake HIV test results to get individuals and employees to click links.

The smart people at security company Proofpoint have determined the following:


Healthcare concerns drive us to do a lot of things like change our diet, work out more, and take medication. But they should never lead us to fall victim to phishing campaign. Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links.
In the latest example, Proofpoint researchers observed cybercriminals impersonating Vanderbilt University Medical Center and sending out fake HIV test result emails that attempted to lure recipients into opening malicious content embedded into the message. This low volume campaign had top targeted industries: global insurance, healthcare, and pharmaceutical organizations, but others were targeted as well. This attack leveraged Koadic RAT, if successful and Koadic is installed, attackers can run programs and access victims’ data, including sensitive personal and financial information.
Campaign Overview
This campaign was a small attack in which the emails claim to come from “Vanderbit [SIC] Medical” and have the subject line “Test result of medical analysis”. The body of the email encourages recipients to open a malicious Microsoft Excel attachment titled “TestResults.xlsb” and claims that the recipient’s HIV results are contained within it. Figure 1 shows a sample below.
Figure 1 Email with Malicious Excel Attachment Claiming HIV Results
If the recipient opens the attachment, the Excel document opens and prompts the user to enable macros as shown in Figure 2.
Figure 2 Malicious Excel Document Prompting to Enable Macros
If the recipient enables macros, the document then downloads Koadic. Originally Koadic was intended as a tool for network defenders and allows the actor to take complete control over a user’s system. In recent years it has been used by a variety of nation state actors, including both Chinese and Russian state-sponsored groups, as well as attackers associated with Iran.
This latest campaign serves as a reminder that health-related lures didn’t start and won’t stop with the recent Coronavirus-themed lures we observed. They are a constant tactic as attackers recognize the utility of the health-related “scare factor.” We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information. Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person. If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.

No comments:

Post a Comment