Getty Images
Health Departments, State Govts. At Risk of COVID-19 Spoofing, Fraud
Proofpoint found most state governments and health departments lack the strictest and recommended DMARC protection and authentication, exposing them to COVID-19 spoofing and fraud attempts.
Forty-four percent of state health departments and state governments do not have a published Domain-based Message Authentication, Reporting & Conformance (DMARC), making these entities much more susceptible to domain spoofing and email fraud attempts, according to new Proofpoint research.
Throughout the crisis, researchers and federal agencies have all highlighted a spike in cybercrime and attacks tied to COVID-19. These threats range from Virtual Private Networks (VPNs) and videoconferencing platforms like Zoom, to email fraud and spoofing attempts.
In light of these attacks, Proofpoint researchers analyzed the email authentication practices of both state governments and public health departments, as these entities work on the frontlines the COVID-19 pandemic and must have frequent contact with their constituents on the progression of the crisis.
The analysis found state governments and their health departments are lacking crucial authentication best practices, which has “unknowingly exposed” these entities to cybercriminals looking to capitalize on the pandemic.
In fact, Proofpoint found 88 percent of state health departments and 92 percent of all state governments have not implemented the strictest and recommended DMARC protection.
DMARC is an email validation protocol used to protect domain names from criminal misuse. The tool authenticates the identity of the sender before a message is allowed to reach its intended designation, while verifying that the sender’s domain has not been impersonated.
It relies on established DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards, which ensures the email is not spoofing a trusted domain.
Specifically, these entities lack a setting and policy called “Reject,” which actually blocks fraudulent emails from reaching an intended target. In total, 10 states do not have a standalone health department site, separate from the master .gov site.
Public health departments share similar issues with the health sector: fewer security staff and minimal resources. These challenges were brought to light in a state hearing that followed a serious cyberattack on the Minnesota Department of Human Services, which revealed these agencies are constantly bombarded by phishing campaigns but lack the resources to effectively manage these risks.
In the last few years, these issues have been fueled by a host of massive cyberattacks on a range of state and local governments, including the city of Baltimore, more than 22 Texas towns, and Louisiana, just to name a few. As COVID-19 has fueled more targeted attacks, these issues will only increase.
In the most recent example, hackers infected the website of the Champaign-Urbana Public Health District in Illinois with NetWalker ransomware, as the agency worked to respond to the pandemic.
“State governments and health departments are in constant contact with constituents as they share updates around the progression of the virus and statewide shelter-in-place orders and other measures,” researchers wrote.
“At the same time, cybercriminals are carefully following each new COVID-19 development and launching attacks that are social engineering at scale based on fear,” they added. “They know people are looking for information around this out of concern for their safety and are more likely to click on potentially malicious links or download attachments.”
To date, Proofpoint has identified more than 300 COVID-19-related scams in more than 500,000 messages, 300,000 malicious URLs, and 200,000 malicious attachments. The findings mirror earlier reports from security researchers and federal agencies, which revealed healthcare has been a prime target throughout the pandemic.
Domain spoofing is a common tool used by hackers to pose as trusted entities, which takes advantage of vulnerabilities in email protocols to send messages that appear as legitimate addresses, Proofpoint explained. Spoofing makes it difficult for everyday users to identify fake senders.
“It is critically important that the communication methods used by each state is secure,” researchers warned. “Effective security requires a people-centric approach that caters to the most attacked and vulnerable individuals.”
“We recommend implementing robust email defenses and inbound threat blocking capabilities (including deploying DMARC email authentication protocols), combined with cybersecurity awareness programs that train users to spot and report malicious emails,” they concluded.
Healthcare entities can also review resources from the Healthcare and Public Health Sector Coordinating Council (HSCC) to better understand how to protect healthcare trade secrets and medical research data.