Getty Images/iStockphoto

Cybercriminals Targeting US Providers with COVID-19 Phishing Attacks

The FBI is warning medical providers that cybercriminals are targeting the healthcare sector with targeted email phishing attacks, exploiting fear about the COVID-19 pandemic.

Cybercriminals are again tailoring their attack methods to take advantage of fears stemming from the COVID-19 pandemic, targeting medical providers with directed email phishing attacks, according to an FBI flash alert.

Security researchers, the Department of Homeland Security, and other federal agencies have continued to warn that hackers are not letting the pandemic thwart their criminal activities.

Instead, they’re taking advantage of the increased remote work and the crisis to launch double extortion ransomware, hijack videoconferencing, target Virtual Private Networks (VPNs), and ramp up business email compromise schemes and fraud attempts.

The latest FBI alert reminds healthcare providers of the increase in malicious cyber activity. Hackers are leveraging email subject lines and content related to the virus, specifically targeting medical providers. The phishing campaign distributes malicious documents, including Microsoft Word, ZIP files, Java, and others. The attack originates from both domestic and foreign IP addresses.

Medical providers first began detecting the phishing campaign on March 18: all emails contained subjects tied to the pandemic and malicious attachments.

“The capabilities of these malicious attachments are unknown, but they would have likely created an initial intrusion vector to enable follow-on system exploitation, persistence, and exfiltration,” according to the alert.

The subjects ranged from purchase orders and returned mail, to COVID-19 updates and business contingency alerts on COVID-19. There are also messages imitating the World Health Organization, which the Office for Civil Rights alerted to in early March.

The FBI recommends healthcare organizations encourage and train users to be wary of emails with unsolicited attachments, even if they think they know the users. As noted in recent campaigns, hackers will often leverage social engineering, such as spoofing the email address, in healthcare cyberattacks to take advantage of human nature.

Enterprise software must be up to date, which should include applying software patches on a timely basis. Hackers are already successfully exploiting unpatched VPNs. Further, suspicious emails should never be opened, even if the enterprise antivirus software indicates the message is safe.

“Attackers are constantly releasing new viruses, and the antivirus software might not have the signature,” the FBI warned. “Save and scan any attachments before opening them. Turn off the option to automatically download attachments.”

Alternatively, organizations may consider creating a second user account with restricted privileges to be used for email, as some viruses need administrator privileges to infect the victim’s computer. And organizations should ensure they’ve bolstered their security practices, to include filtering “certain types of attachments through your email software or a firewall.”

The FBI is urging all healthcare providers to document any suspicious activity and report it to the FBI’s Cyber Watch (CyWatch), especially providers that suspect they’ve been targeted by a phishing campaign. The agency will need a copy of the email with the full email header and a copy of the attachments.

Providers are urged not to open the attachments unless they have the capability to safely do so in a controlled manner. Further, all logs, images of infected devices, and memory captures of affected equipment should be retained to assist the FBI with its response.

Next Steps

Dig Deeper on Cybersecurity strategies