Hackers using fake HIV test results, coronavirus emails to target healthcare companies

illustration of closed padlock on digital background representing cybersecurity
Recent email phishing campaigns are emblematic of the low-volume, highly social-engineered attacks now dominating the landscape, Proofpoint researchers said. (ranjith ravindran/Shutterstock)

Cybercriminals are using fake HIV test results and coronavirus conspiracy theories to break into the computer systems of healthcare companies.

Researchers at enterprise security company Proofpoint found evidence that hackers were impersonating a top U.S. medical center and sending out fake HIV test result emails. The aim was to lure recipients into opening malicious content embedded into the message.

Workers in insurance, healthcare and pharmaceutical companies worldwide were all targeted in these attacks, according to a Proofpoint blog post.

COVID-19 Webinar

Getting Ahead of the Curve: Insights from COVID-19’s Frontlines

How is COVID-19 impacting HCPs and patients? Join Daniel S. Fitzgerald, InCrowd CEO & President and Philip Moyer, InCrowd VP of Crowd Operations, to review the key findings.

The Koadic malware used in the attacks gives hackers access to a computer and the victim's data, including sensitive personal and financial information.

This campaign is emblematic of the low-volume, highly social-engineered attacks now dominating the landscape, according to Proofpoint. Last year, the company saw a 300% jump in imposter email attacks on healthcare targets.

Cybersecurity researchers also have seen the emergence of phishing emails using coronavirus content

Recent cyberattacks are leveraging conspiracy theory-based fears around purported unreleased cures for coronavirus and campaigns that abuse perceived legitimate sources of health information to manipulate users, according to Proofpoint.

In these phishing emails, attackers use malware that can steal personal information, including financial information. Researchers have observed Office 365, Adobe and DocuSign sites meant to steal credentials linked to coronavirus-themed emails.

RELATED: Number of patient records breached nearly triples in 2019

There have been dedicated attacks against construction, education, energy, healthcare, industry, manufacturing, retail and transportation companies.

Hackers seem to be evolving their messaging in line with the global response. As many companies are asking employees to work from home, the hackers send emails that claim to be from company executives or HR departments. 

"Attackers are also subverting internal businesses’ credibility in their attacks. We have seen a campaign that uses a coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees," Proofpoint researchers wrote.

Geographically, in addition to previous targeting against Japan and the U.S., researchers are also seeing attacks focusing on Australia and Italy, the latter in Italian-language lures.

Security analysts from Kaspersky also found phishing emails purporting to come from the Centers for Disease Control and Prevention (CDC) with coronavirus information.

The letters claim that the CDC has “established a management system to coordinate a domestic and international public health response” and urge recipients to open a page that allegedly contains information about new cases of infection around their city. The link appears to point to the legitimate CDC website: cdc.gov.

Healthcare targeted by email attacks

Healthcare organizations are increasingly targeted by email attacks.

A recent survey from cybersecurity firm Mimecast and the Health Information Management and Systems Society found that 90% of organizations experienced email-borne attacks in the past year, with 25% suffering from very or extremely disruptive attacks.

Impersonation of trusted vendors or partners via email was the most common cause of disruption (61%), followed by credential harvesting focused phishing attacks (57%) and data leaks or threats initiated by cybercriminals stealing users’ log-in credentials (35%).

Phishing emails, when successful, can be significantly disruptive. Nearly three-quarters (72%) of respondents experienced downtime as a result of an attack, according to the Mimecast survey.

RELATED: Healthcare data breaches cost an average $6.5M: report

Productivity was the most common type of loss (55%), followed by data (34%) and financial (17%).

Healthcare organizations are taking steps to bulk up their cyber defenses with significant investments in cybersecurity technologies.

The survey found that 80% of organizations have implemented firewalls/next-generation firewalls, 79% have implemented email security systems and 78% have data backup and recovery solutions.

"Many organizations have been investing in people and technology and general improvements in security, but the attackers have industrialized, specialized, and accelerated their abilities as well,” said Matthew Gardiner, director of enterprise security marketing at Mimecast.

"So, while organizations have improved their defenses, threats have continued to as well, making it very difficult for organizations to sufficiently protect themselves."

IT professionals should focus on creating business processes that can shield them from attacks, optimizing security tools and delivering effective staff education, according to Mimecast.

Suggested Articles

The Trump administration plans to use a federal stimulus package to pay hospitals that treat uninsured people with COVID-19.

Pharmacists are expressing frustration with their hospitals’ ability to obtain masks from the national stockpile. 

There are some ways doctors and healthcare workers can help relieve the extra stress of working during the coronavirus pandemic.