Ongoing Targeted Attacks Continue to Plague Healthcare
Posted by AToro on 12 September 2014 01:30 PM
Websense® ThreatSeeker® Intelligence Cloud has detected a phishing campaign that targets the Healthcare sector--especially hospitals--phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector (for example, the CHS breach), along with a trend of phishing for corporate Outlook credentials.
Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim's organization. This foothold allows them to search for other high-value targets, and then send internal, legitimate-seeming emails to extract additional information and get access to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organizations.
Healthcare organizations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals, as discussed here.
Websense customers are protected from this threat by ACE, our Advanced Classification Engine, at the following stages:
The Lure Email
The phishing email seen below, with the title "Your Mailbox account closure." is sent to users, enticing them to click on a link.
The campaign is highly targeted. ThreatSeeker telemetry shows Websense Cloud Email Security blocked a few hundred of these messages, all targeting a US healthcare organizations, between 9/12/2014, 6:19:34 AM PDT and 9/12/2014, 7:13:10 AM PDT.
Reviewing the email path, it appears that compromised accounts were used to send this campaign. This suggests that the actors behind the campaign try to spread laterally from one infected organization to another, taking advantage of the reputation of affected organizations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim's email protection systems. This helps to bypass any reputation-based defense.
The Phishing Page
If the user follows the link he or she are led to webauthlineoutlweb.url.ph where they are presented with a legitimate-looking Outlook login page, which is used to steal credentials.
A high-level look on the top 5 threats hosted on subdomains of "URL.PH" suggest it is becoming more popular in the last few months. Looking into the threats served by websites with the "URL.PH" top-level domain (TLD), we can see a diverse set of threats including Zeus and Citadel, as well as other types:
Websense® Security Labs™ will continue to monitor this campaign, and will update the blog as new information is gathered.
Contributors: Abel Toro, Ran Mosessco, Elad Sharf
Read more »
New Phishing Research: 5 Most Dangerous Email Subjects, Top 10 Hosting Countries
Posted by Elisabeth Olsen on 11 December 2013 10:33 PM
With cloud infrastructure easily scalable and rented botnets coming on the cheap, the cost of conducting massive phishing campaigns continues to decline for cybercriminals. Even if the return rate is small or the campaign is poorly executed, phishing can result in serious money for criminals. Phishing will never simply go away—meaning ongoing headaches for security professionals.
Top 10 Countries Hosting Phishing
To shed some light on how targeted attacks and user education awareness are evolving, Websense Security Labs researchers investigated current phishing trends. We found that the percentage of phishing attempts within all email traffic dropped to 0.5 percent in 2013 (down from 1.12 percent in 2012). This may sound like good news, but certainly does not mean the coast is clear for businesses.
Today’s phishing campaigns are lower in volume but much more targeted. Cybercriminals aren’t simply throwing millions of emails over the fence. They are instead targeting their attack strategies with sophisticated techniques and integrating social engineering tactics. Scammers use social networks to conduct their recon and research their prey. Once the intelligence is harvested, they use that information to carefully construct email lures and yield maximum success.
In addition to social engineering, geographic location also plays an intricate role in phishing. By rank, here’s a list of the top 10 countries hosting phishing URLs: (Based on research conducted 1/1/13-9/30/13)
2. United States
4. United Kingdom
8. Hong Kong
Some interesting points about this list:
• China and Hong Kong made their debuts this year, having never before been included in our lists
• The UK moved up from the number six spot
• The U.S. dropped out of the number one spot, for the first time in a long, long time
• Russia moved up from the number 10 spot
• Egypt and the Bahamas have disappeared from the list, after recent appearances
Five Most Dangerous Subject Lines
As you can see, where you are in the world can influence how much your organization is at risk. However, geographic location is only one piece of the puzzle for detecting and stopping unwanted emails. How the emails are titled also plays a significant role in the success of a phishing campaign.
To further investigate, our security researchers took a closer look and determined that the top five subject lines in worldwide phishing emails are the following: (Based on research conducted 1/1/13-9/30/13)
1. Invitation to connect on LinkedIn
2. Mail delivery failed: returning message to sender
3. Dear <insert bank name here> Customer
4. Comunicazione importante
5. Undelivered Mail Returned to Sender
The list above portrays how cybercriminals are attempting to fool recipients into clicking a malicious link or downloading an infected file by using business-focused and legitimate-looking subject lines. Scammers will use any means necessary to increase the likelihood of an inspire-to-click campaign.
Phishing Security Tips and Infographic
To combat phishing attacks, be sure to adequately prepare yourself with a security solution that can expose advanced threats and alert your security team in real time. You can protect your organization by implementing web, data, email and sandboxing security solutions that share crucial intelligence to analyze potentially malicious content in real-time. Promoting and adhering to these tips can significantly decrease your organization’s chances of becoming a victim of a phishing campaign. Click here for a webcast on “Defending Against Today’s Targeted Phishing Attacks.” Below is also the Websense Security Labs infographic on this research:
How has your organization tackled the ominous and ever–present phish? Please feel free to drop us a line below. We would be happy to answer any question(s) you might have.
Read more »