Beware Phishing Attempts to Thwart Your IT Security
Help prevent the damage that a criminal data attack can have on a healthcare organization.
Often, when talking about information technology (IT) security, you hear responses such as, “It’ll never happen to us,” or “I’m too small to be a target.” The truth is, viruses, spyware, malware, phishing, hacking, phreaking, social engineering, data loss, improper access, etc., are equal opportunity offenders. Any individual or organization is a potential target.
To demonstrate that small and medium businesses are not immune from security threats, I spoke with Kevin Slonka, Sc.D., senior systems engineer at Precision Business Solutions and professor of Computer Science, about conducting a case study in which we “phish” our clients.
Phishing is an email attack in which the attacker masquerades as a trusted source sending fraudulent emails to elicit personal information from the recipients and gain access of their digital life. There are many examples of phishing emails, which include:
- An infected UPS shipment notification with attached PDF (often during the Christmas season);
- A PayPal or bank “account security concern” that requests you to click a link, which takes you to an infected webpage or site to further illicit login credentials;
- A Nigerian prince wishing to send you money by asking you for banking information; or
- A relative who is stuck in another country and needs you to wire money for airfare to return home.
The goal of our project with Slonka was to attack our clients in a way that anyone could attack them: using readily available information found on the internet.
Step 1: Trusted Source
Although we could have used a local financial institution as our trusted source, we decided to phish as ourselves (after all, we didn’t want FBI knocking on the door). Slonka and I built a legitimate digital presence using the domain precisionbs.tech. This domain was purchased from GoDaddy, a reputable domain registrar. We set up website hosting, an SSL Security Certificate, and Office 365 email hosting, which provides a fully legitimate domain, secure website, and trusted email hosting. Upon checkout, we also selected private registration, so no one was able to look up the true owner of the domain.
Although my credit card could have been traced back to me during an investigation, if I was a criminal phisher, a stolen credit card would have been used for these transactions.
Step 2: The Ask (Email)
Our case study involved tracking two primary actions: the number of clients who clicked on the infected link, and the number of clients who provided their account credentials.
The email was sent using a variation of a widely known email address that clients frequently see and use, email@example.com, and it appeared to be sent from myself. As shown in Figure 1, it’s very hard to tell this was a fraudulent email.
We included a call to action in bolded red, further enticing the recipient to click the link and provide their account credentials in hopes of winning the $100 gift card.
Often, anti-spam software and systems are in place to block phishing and spam. The difficulty in preventing emails such as the one in Figure 1 is that they are technically legitimate. Precisionbs.tech is a valid domain, using a valid email provider. Our emails were timed to be sent every few seconds (randomized between five and 10) to further prevent detection by anti-spam systems.
Step 3: Fraudulent Website
The precisionbs.com website was mirrored and a fraudulent precisionbs.tech webpage was created: www.precisionbs.tech/reg.php. As shown in Figure 2, the webpage looks identical to a page you’d see on precisionbs.com.
Results Reveal Security Weaknesses
The objective was to study the results and use them to enhance security awareness and training materials for our clients. The website was developed so that no account credentials were transmitted to the website or collected (even though they technically would have been encrypted). The goal of this study was only to locate security weaknesses.
Of the 1,198 targets (individuals emailed), the phishing website — which could have contained malware or other infectious code — had 493 interactions (clicks on the email link, clicks on website links, and form submissions). Of those 493 interactions, 152 completed the form, in which sensitive account credentials were requested.
Healthcare clients accounted for 385 of the target emails, of which 164 individuals clicked the phishing link and 49 individuals submitted their account credentials.
Discussion and Thoughts
Some may argue the results are high due to Precision Business Solutions being an IT provider, but I feel I could obtain equally high results if I were criminally phishing for information. Not all phishing attempts are as easily spotted as the email from the Nigerian prince.
IT providers are excellent examples of organizations to impersonate because, unlike banks, individuals seem to drop their guard when it’s IT. We’ve had a technician walk into the wrong office building and ask the receptionist where the firewall was because he had a new firewall to install to fix the company’s internet issues (who doesn’t want faster internet?). He was allowed in and sat down at a computer, only to figure out after a few minutes he was at the wrong location.
Imagine the damage that could have been done with those 49 individuals’ account credentials. Aside from the financial gains that could have been realized by downloading and selling patients’ account, billing, and insurance information, what if the attacker decided to do harm?
If a physician’s credentials were compromised, and patients’ medications altered, an attacker could literally kill a patient.
If your credentials allow remote connectivity, the attacker now has access to your network, which most likely has a number of networked medical devices connected to it that care for patients. Unfortunately, a challenge in healthcare is to keep those computer systems updated and patched, leaving them vulnerable to attacks that could compromise patient safety.
If you’re a small practitioner who works closely with a local hospital, you’re a prime target, as your credentials grant you access into the larger healthcare system.
Security Awareness and Training
Security awareness and training is the process of educating employees on computer security and proper computing practices. Example topics include:
- Guarding against, detecting, and reporting malicious software;
- Monitoring log-in attempts and reporting discrepancies;
- Creating, changing, and safeguarding passwords;
- Using safe browsing practices; and
- Email security.
Although employee security awareness and training is important for all businesses, it’s a requirement for healthcare.
Here are a few tips to help you identify phishing emails:
- Domain names – Pay particular attention to non-standard domain names. Most organizations are still using .com and .org (or .edu and .gov). Pay close attention to email using an alternate domain (e.g., .net, .co, .tech, .info, etc.).
- Attachments – Any email you receive with an attachment should warrant additional review, especially when it comes unexpectedly or from someone unfamiliar to you. If you’re not sure if an email is legitimate or from a trusted sender, you can always confirm it by replying to the sender before opening it. My rule of thumb is typically to delete suspicious emails.
- Holiday or fundraising scams – You’ll notice an uptick of phishing attempts around the holidays, often with infected attachments (e.g., UPS/FedEx shipment notifications or fake receipts). Be wary of emails you receive supporting a cause, such as the mass shootings in Orlando this past summer, which triggered fraudulent donation requests. Thieves have no moral issues in how they exploit people.
- Personal information or passwords – Take caution when you receive an email requesting personal information or anything to do with your password. If a service you use asks you to change your password, don’t click the link; manually go to the website and login to change your password.
- Change passwords regularly – When you’re required to change your password at work, use that as a reminder to change your password on personal accounts, such as online banking, personal email accounts, etc. Often when passwords are compromised, it takes time to use that information, and by changing your password regularly, that compromised information becomes useless.
Consider Cyber Insurance
Did you know that cyber insurance is not always included in a general liability policy, and often is an exclusion? Check with your insurance provider to ensure you have adequate cyber insurance coverage. Cyber insurance is recommended for anyone who accesses, stores, or maintains any personally identifiable information or protected healthcare information.
For more information, please visit the following sites:
www.PhishingOurClients.com – Additional information on this study, including the official case study.
https://precisionbs.com/security-awareness/ – Publically available security awareness and training videos, which may be used to further educate staff on relevant IT security information.
Brian Shrift, CISSP, HCISPP, is president of Precision Business Solutions.
Kevin Slonka, Sc.D., is a senior systems engineer at Precision Business Solutions and head of the Computer Science program at Pennsylvania Highlands Community College. His primary research area is information security, with recent studies on social networking scams and phishing.