ipopba - stock.adobe.com

Pharmacy, Hospital Phishing Attacks Spike 189% Amid Vaccine Rollout

A new report sheds light on the tactics leveraged by hackers amid the COVID-19 pandemic and the latest phishing schemes against hospitals and pharma spurred by the vaccine rollout.

The number of phishing attacks targeting pharmacies and hospitals increased by 189 percent from December 2020 to February. These often large-scale campaigns correlated to hackers attempting to capitalize on the vaccine rollout, according to a new report from PaloAlto Unit42.

During that same time period, researchers observed a whopping 530 percent increase in vaccine-related phishing attacks. Microsoft was the brand most targeted by attackers, with researchers observing fake Microsoft pages set up by attackers to steal credentials.

In these attacks, threat actors set up fake websites that claim to represent pharma companies, such as Pfizer and BioNTech. Users are then asked to log in with their Office365 credentials to allegedly sign up for the vaccine.

These phishing attacks increasingly used a common technique called client-side cloaking, where the website first asks the user to click the login-button to then put in credentials, rather than asking the user to input their information up front.

The method is designed to evade automated, crawler-based phishing detection tools.

In terms of targeted entities, Unit42 researchers found that organizations involved with the production and distribution of the vaccine are potentially high-value targets for hackers, given the time-sensitive and confidential data in their possession.

Much of the observed attacks against these entities were part of larger phishing campaigns that leveraged several different URL types to various employees within the same targeted organization to increase the likelihood that at least one employee will inadvertently provide the attacker with their user credentials.

As such, a campaign will involve all entities connected within the organization’s umbrella, like Walgreens and its related hospital. These campaigns targeted healthcare-related entities on a global level, not just in the US.

Some example attacks include the targeting of US-based Walgreens, Pharmascience in Canada, India’s Glenmark Pharmaceutical, and a Chinese Bioscience firm. Researchers noted that in some campaigns, it appeared hackers were attempting to breach the supply chain.

Unit42 also detected legitimate pharmaceutical companies being compromised by hackers for phishing purposes. An example attack included the compromise of pharmalicensing[.com], where hackers took over the legitimate webpage to steal users’ business credentials.

“These sorts of attacks can be particularly dangerous, as the legitimacy of the original website may trick users into incorrectly thinking that the phishing page is also legitimate,” researchers noted.

“We predict that as the vaccine rollout continues, phishing attacks related to vaccine distribution – including attacks targeting the healthcare and life sciences industries – will continue to rise worldwide,” they added.

The causation between cyberattacks and the pandemic have been well-documented throughout the national crisis. Unsurprisingly, as the world moved to respond to the emergency, hackers used COVID-19-related themes in their attacks to prey on human fears.

The Unit42 report provides a deep-dive into these tactics, as well as the current threat landscape brought on by those attempting to register for vaccinations and the healthcare teams working to provide care to patients.

It comes on the heels of a Proofpoint report that showed hackers have been relentless in their abuse of the pandemic and healthcare’s response, with a two month-rise in attacks leveraging COVID-19 vaccine themes.

Additionally, Unit42 analyzed the set of all phishing URLs detected globally between January 2020 and February 2021, generating specific keyword sets indicating each COVID-19-related topic. 

Keyword matching was applied to each to determine the phishing URL related to each topic. Researchers also spot-checked the resulting URLs, then refined the keywords and phrases to minimize the chance of false positives.

The data confirmed that hackers changed tactics along each step of the pandemic response to maintain urgency and likelihood of success. Researchers noticed that when hackers leveraged COVID-19 themes, it resulted in the constant creation of new websites to host phishing campaigns.

Many COVID-19 phishing pages are hosted on newly created sites, which researchers explained suggests the attackers purposefully set up the sites just several days before launching the campaign.

“This gives the attackers the opportunity to craft the message surrounding the attack, as well as the website URL itself -- to fit the latest pandemic trends,” researchers explained.

In light of recent reports detailing the rise of spear-phishing attacks, entities should review recommendations provided by Unit42 to prevent an exploit through these attack methods, including enforcing multi-factor authentication on all business-related logins. Previous Microsoft data found that MFA blocks 99.9 percent of all automated cyberattacks.

Entities should also routinely back up enterprise data and ensure it’s air-gapped. Security awareness training will also help to improve employees skills for identifying fraudulent emails. Europol’s spear-phishing guidance can also shed light on needed tactics and techniques to defend against these attacks, as well as needed security tools to harden security measures.

Next Steps

Dig Deeper on Cybersecurity strategies