An Unprecedented Phishing Pandemic: Attackers Take Aim at Vulnerable Healthcare Providers and Patients
As if Covid-19 wasn’t enough of a crisis, the number of cyber attacks on frontline healthcare responders has surged at the same time as the global pandemic – trending upwards almost entirely in line with case numbers.
This destructive force has caused massive disruption and has put the lives of both patients and professionals at even greater risk. So why would critical services be preyed on at a time like this?
It can only be assumed that where there is fear, uncertainty, urgency and panic, there also exists a lucrative opportunity for cyber criminals and those who wish to bring even more chaos to the world.
In this article we will explore:
- THE HEALTHCARE INDUSTRY VICTIMS
The WHO, hospitals, solidarity funds and patients are under attack.
- THE PHISHING EXPLOSION
Impersonation attacks compete with Covid-19 for the fastest growing pandemic of 2020.
- SOUND THE ALARM!
Interpol, the FBI, the CyberPeace Institute, Nobel Laureates, and even Archbishop Emeritus Desmond Tutu, shout warnings and pleas for serious intervention from governments.
- HOW VULNERABLE IS THE SA HEALTHCARE SECTOR?
Sendmarc conducts a study into 219 hospitals clinics and laboratories.
- IS THERE A CURE?
How to test for domain vulnerability and stop impersonation attacks in your ecosystem before they occur.
Since the start of the Covid-19 global pandemic, the world has experienced a significant increase in the number of cyberattacks.
In March 2020, global security vendor Barracuda reported that phishing emails had spiked by over 600% since February, as cyber-criminals looked to capitalise on the fear and uncertainty generated by the virus. One-third of these attacks used impersonation of a known brand as a tactic to steal money and data, and deliver malware to victims.
Antivirus company Avast echoed this sentiment, with CISO Jaya Baloo confirming an increase in phishing, impersonation and ransomware attacks targeting hospitals and healthcare providers since the beginning of the pandemic. “We have blocked over 1,3 million phishing attacks misusing the COVID-19 crisis between January and May of 2020,” says Baloo. “Healthcare providers perform critical operations and hold vital patient information, which makes them attractive targets for threat actors.”
…the rate of growth in phishing attacks correlates almost perfectly with the rate of increase in Covid-19 infections.
In the US in April, an FBI official also confirmed that there has been a spike in cybercrime since the pandemic began. Deputy Assistant Director Tonya Ugoretz said that the number of reports of cybercrime the bureau has received has quadrupled compared to the early months of 2020.
“There was this brief shining moment when we hoped that, you know, ‘gosh, cybercriminals are human beings too,’ and maybe they would think that targeting or taking advantage of this pandemic for personal profit might be beyond the pale,” says Ugoretz. “Sadly that has not been the case.”
Ugoretz stated that criminals have targeted everything from setting up fraudulent internet domains and charities, to fraudulent loans, to promising delivery of masks and other PPE equipment. “So pretty much, sadly, anything you can think of,” she says. “Cyber-criminals are quite creative.”
When comparing the number of phishing attacks and Covid-19 infections globally, it becomes evident that the rate of growth in phishing attacks correlates almost perfectly with the rate of increase in Covid-19 infections. The relationship between these two crises is illustrated in the graph below:
Phishing Attacks vs. Covid-19 Cases
…the rate of growth in phishing attacks correlates almost perfectly with the rate of increase in Covid-19 infections.Jaya Baloo
CHIEF INFORMATION SECURITY OFFICER AT AVASTTO
The threat of cyber-attacks has become so significant against healthcare institutions that in May, the Geneva-based CyberPeace Institute wrote a plea to governments to protect healthcare institutions from cyber-attacks. Among the signatories were eight Nobel laureates, including Archbishop Emeritus Desmond Tutu.
“These actions have endangered human lives by impairing the ability of these critical institutions to function, slowing down the distribution of essential supplies and information, and disrupting the delivery of care to patients,” the Institute wrote in a public statement.
“With hundreds of thousands of people already perished and millions infected around the world, medical care is more important than ever. For now and for the future, governments should assert in unequivocal terms: cyber operations against healthcare facilities are unlawful and unacceptable.”
In April, Interpol also issued a statement warning hospitals and governments that cybercriminals are using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.
Example 1: The WHO
The first example of this crisis in action is the organisation playing arguably the largest role in dealing with the Covid-19 pandemic: the World Health Organisation. Since the pandemic began in early March, the WHO has reported a fivefold increase in the number of cyber-attacks compared to the same period last year. These attacks were directed at both the organisation’s staff and the public at large.
Towards the end of April, the WHO reported that around 450 staff email addresses and passwords were leaked, along with thousands belonging to others working on the virus response.
Around the same time, there was an increase in scammers targeting the general public via email, posing as the WHO and asking them to donate to a fictitious fund rather than the authentic COVID-19 Solidarity Response Fund.
Example 2: University Hospital Brno, Czech Republic
Besides large organisations like the WHO, another main target of malicious cyber attacks is hospitals, who are currently processing larger amounts of personal data as a result of widespread Covid-19 testing.
It was believed that the hospital’s IT infrastructure became encrypted with Ransomware most likely originating from a fraudulent email.
In March, as infections began to surge, the University Hospital Brno – the Czech Republic’s second-largest hospital – fell victim to a major cyberattack, forcing it to cancel all planned operations and divert acute patients to other nearby hospitals.
It was believed that the hospital’s IT infrastructure became encrypted with ransomware most likely originating from a fraudulent email.
Petr Špiřík, a Prague-based cyber-incident responder with PricewaterhouseCoopers, said the incident was part of a broader pattern of cyberattacks on a vulnerable sector.
“The root cause for this rising level of successful attacks against our hospital sector is the overall underfunding in the IT security infrastructure,” Špiřík said.
Example 2: Life Hospital Group, South Africa
Closer to home, South Africa’s Life Hospital Group suffered a cyber attack in June that affected its admissions systems, business processing systems and email servers. While the attack did not affect patient care, it did result in administrative delays as hospitals in the group were forced to switch over to manual processing systems.
Since the nature of the attack was widespread, IT experts like Dominic White, CEO of cyber-security firm SensePost, think that it was most likely as a result of a ransomware attack. “Ransomware is pretty opportunistic and, because of the pressure on hospitals, attackers are guessing people will pay to make it go away quickly,” says White.
As these attacks increase, South Africa’s already stretched healthcare system faces even more pressure. This sentiment was echoed by Life Healthcare acting group CEO Pieter van der Westhuizen. “We are deeply disappointed and saddened that criminals would attack our facilities during such a time when we are all working tirelessly and collectively to fight the COVID-19 pandemic,” he said of the incident.
Is there a cure?
As part of their advice for preventing these attacks on healthcare providers, Interpol advises staff not to open emails from untrusted sources, nor to click links in emails they were not expecting to receive.
In recent years, criminals have become so sophisticated that they are becoming experts at impersonating genuine emails – so it becomes very difficult for the user to decide what is safe and what is dangerous.
It’s clear that the key to dealing with these kinds of cyberattacks is to leverage technology as much as possible before expecting an employee to make a decision about a particular email.
One of the most effective ways to do this is to make sure that domains are DMARC compliant.
What is DMARC and why is it a critical component in the fight against cybercrime?
In their 2016 Phishing Susceptibility Report, US security software company Cofense found that 91% of cybercrime starts with a phish. These attacks are launched against staff, customers, patients, students, or any other vulnerable target.
As a 1st step, domain owners should know their domain safety score. Less than 3/5 requires action!
The aim is to steal information and money, or to deploy a virus or ransomware.
DMARC is a global cyber security standard that was designed to stop a cybercriminal from being able to impersonate your corporate email addresses and thereby commit attacks known as spoofing and phishing.
“To help people determine the vulnerability of their domain name, we’ve come up with a free DMARC Safety Score tool,” says Sacha Matulovich, Sendmarc CSO and co-founder. “The tool allows you to input your domain, and a resulting score of less than four out of five means you should ask your IT provider to help you become DMARC compliant.”
Example 1: The WHO
So how vulnerable are South African healthcare institution domains? Sendmarc recently conducted research into 219 domains used for email by hospitals, clinics, laboratories, treatment and medical practitioners, to evaluate how secure their domains were.
This is illustrated in the graph below.
Healthcare Domain Analysis
Out of the domains analysed, almost all of them scored three or below on the Sendmarc Safety Score, meaning their domains are very easy to impersonate and they’re heavily at risk of a phishing attack.
It’s therefore clear that South Africa’s healthcare sector seems woefully ill-equipped to deal with this increase in cyber attacks.
In response, Sendmarc will launch a new programme that aims to help a wide cross-section of frontline responders – from hospitals and clinics to laboratories and ambulance services – become DMARC compliant. The programme will be launched in mid-September when all the details will be made available.
“Our goal is to help relieve the strain, confusion and threat of loss from healthcare providers who may be vulnerable to cyber attacks at a time when cyber security is the last thing on their minds,” says Matulovich.