Hackers Seeking to Harvest Credentials, Commit Business Email Compromise Scams
Scammers are taking advantage of the monkeypox virus outbreak to launch phishing campaigns targeting healthcare providers, the U.S. government says.
See Also: Healthcare Sector Threat Brief
The campaign email has a subject line purporting the email contains important information about monkeypox and contains a PDF attachment with a link to a purportedly secure document download. In actuality, the download is an attempt to harvest email credentials, warns the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center.
The Centers for Disease Control and Prevention reports that nearly 25,000 Americans have come down with the pathogen, which causes symptoms similar to smallpox.
The White House in August created a monkeypox response team headed by Robert Fenton, a regional administrator at the Federal Emergency Management Agency. The outbreak has almost exclusively affected the LGBTQ community. Members of the response team told reporters Thursday their goal is to fully eradicate the disease.
A phishing campaign is an expected side effect of any pressing current event, says Brett Callow, a threat analyst at security firm Emsisoft.
“Bad actors invariably use current events as phishing bait, so it’s not at all surprising that providers are receiving monkeypox-themed phish. Credentials harvested by phishing schemes can be used as a launchpad for other attacks and scams, including ransomware and business email compromise,” he says.
Cybercriminals behind the phishing campaign may have compromised legitimate email accounts to make the emails appear legitimate, HC3 says.
Anyone who clicks on the link contained in the initial PDF attachment is taken to a Lark Docs website, purportedly to make a secure download. Lark Suite is an online collaboration platform developed by Chinese tech company ByteDance and made available to the public in 2019. Clicking on the secure download link triggers an interstitial web page that asks the user to sign in with Microsoft Office 365 or other email credentials.
“Unfortunately, some employees invariably do lose their credentials to phish, so it’s important providers plan for this,” Callow says.
HHS HC3 in August also issued an alert warning of a “marked rise” in social engineering and voice phishing attacks on healthcare and public sector entities and urged organizations to take steps to avoid falling victim (see: HHS HC3 Warns of Vishing and Other Social Engineering Scams).
Threat actors choose social engineering themes from current events that elicit high levels of interest or anxiety, such as natural disasters, wars, acts of terrorism or mass violence, celebrity deaths, and disease outbreaks, says Paul Prudhomme, a former Department of Defense threat analyst who is head of threat intelligence advisory at security firm Rapid7.
“The monkeypox theme of these attacks is a classic example of this tactic, as well as the widespread use of COVID-19 themes during the past 2.5 years,” he says.
An awareness of this use of sensational themes is important to organizations in any industry, but the use of disease themes is of particular relevance to healthcare organizations, he adds.
“Healthcare employees may be more likely to fall for these social engineering attacks because the themes are more relevant to their work,” Prudhomme says.
Brian Read, director of cyberespionage analysis at security firm Mandiant, also warns that it is common for one cybercriminal group to sell credentials stolen in social engineering and phishing schemes to another cybercriminal group.
“The purchasing group could conduct business email compromise, ransomware or other operations,” Read says.