Cybersecurity News

New Phishing Campaign Targets Health, Pharma with HIV Test Results

Proofpoint researchers observed hackers targeting healthcare, pharma, and insurance companies with a new phishing campaign that sends out fake HIV test results as an emotional lure.

healthcare pharma insurance phishing campaign cyberattack Koadic malware attack

By Jessica Davis

- A new phishing campaign has been spotted in the wild by Proofpoint researchers, where hackers send insurance, healthcare, and pharma companies false HIV test results in malicious emails in hopes of luring victims into an emotional response.

Proofpoint discovered cybercriminals impersonating Vanderbilt University Medical Center to send potential victims fake HIV test results in emails embedded with malicious content. Notably, the attackers misspelled the health center name as “Vanderbit.”

The emails contain the subject line “Test result of medical analysis,” while the body encourages the recipient to open a Microsoft Excel attachment titled “TestResults.xlsb.” The message claims the recipient’s HIV tests are included. But when the malicious doc is opened, the user is prompted to enable macros and then the malware is downloaded.

“Threat actors regularly use purported health information in their phishing lures because it evokes an emotional response that is particularly effective in tricking potential victims to open malicious attachments or click malicious links,” Proofpoint Senior Director of Threat Research and Detection Sherrod DeGrippo wrote.

While it is a low volume campaign, its victims are top targets from the global insurance and healthcare sectors, with other targets in different sectors. The phishing attack leverages the Koadic RAT malware variant, which when installed can allow hackers to both run programs and access data from its victims, such as personal and financial data.

DeGrippo explained that Koadic was first intended as a tool for network defenders that allows an actor to take control over a user’s system. But it’s since been used by nation-state actors from China, Iran, and Russia.

“[Health-related lures] are a constant tactic as attackers recognize the utility of the health-related ‘scare factor,’” DeGrippo wrote. “We encourage users to treat health-related emails with caution, especially those that claim to have sensitive health-related information.”

“Sensitive health-related information is typically safely transmitted using secured messaging portals, over the phone, or in-person,” she added. “If you receive an email that claims to have sensitive health-related information, don’t open the attachments. Instead, visit your medical provider’s patient portal directly, call your doctor, or make an appointment to directly confirm any medical diagnosis or test results.”

Proofpoint also recently warned that hackers are leveraging the coronavirus in phishing campaigns to lure its victims, leveraging several known malware variants including Emotet.

Campaigns targeting the emotional nature of humans have steadily increased in recent years, as hackers continue to hone the sophistication of their attacks. An earlier Proofpoint report showed hackers are increasingly targeting the healthcare sector with sophisticated phishing emails, rather than the vulnerable infrastructure.

Meanwhile, Google researchers revealed that the success of phishing stems from its target nature and ever-evolving nature, as well as human nature.

Fortunately, industry stakeholders have found employee security education and training around phishing can drastically reduce the risk these emails pose. Microsoft published insights into these types of targeted spear-phishing campaigns, which healthcare organizations can leverage to shore up their defenses.