We Bring the Cloud to Healthcare

Four Phishing Tactics to Watch Out For

October 17, 2022

Four Phishing Tactics to Watch Out For

By now, most healthcare organizations perform cybersecurity awareness training, and their staff is on the lookout for phishing emails. Cyber attackers are getting more savvy, however, and are coming up with phishing techniques that are more difficult to recognize. Below are some examples of these tactics and tips on how to spot them.

Four Phishing Tactics Savvy Attackers are Using to Trick Users into Responding

1. Callback Phishing Attacks

Callback phishing involves email campaigns that reference a high-priced subscription that the recipient never subscribed to, leading them to think they have been the victim of identity theft/fraud. There’s a phone number in the email to call for help.

Once the person calls the phone number, attackers pretend to help victims. However, they are launching the ransomware attack by seemingly walking the victim through steps to cancel the subscription.

The “specialist” on the phone appears helpful, even telling the victim that the email was likely “spam,” and offers additional technical support to ensure they weren’t compromised. But unfortunately, the actions the hackers recommend are the actual steps that carry out the attack.

Check out this article on bleepingcomputer.com for more details and see an example of this type of phishing email. This is a useful training tool for your teams.

Takeaway: Always look up the actual company’s phone number and call the company directly when you suspect fraud.

2. Sending Ransomware via Calendar Meeting Invites

Based on our intelligence, there is a significant increase in phishing attacks where malicious actors send meeting invitations to their victims. The invite may include an attachment, and the title of the meeting may appear to be familiar.

Use extreme caution before you accept any Microsoft Teams or other meeting invitations from any external email, including client or partner email addresses. You should delete any invite your feel is suspicious for any reason. For example, if the invite comes from a client, partner, colleague, or a name you recognize, yet you feel it is suspicious or out of character, you should delete the invite and then contact that person to see if they really sent you an invitation. Under no circumstances should you accept, decline, set a tentative response, reply, or open the attachment, as this is the action that will kick off the ransomware.

Takeaway: Be diligent about scrutinizing every email, even meeting notices, and don’t click anything if you think it’s suspicious.

3. Bring Your Own Vulnerable Device Exploits – Finding legitimate ways to enter a system and then executing the exploit

Cyber attackers use legitimate systems and system tools to exploit known vulnerabilities to access systems. This is a prime example of attackers getting very savvy. They find existing, known vulnerabilities (all they have to do is read industry reports) and use that as their access point.

For example, one group used a known driver security issue to enter a system. It shut down the other security measures of the drivers, allowing them to move around freely, and therefore impact thousands of other systems.

This “Bring Your Own Vulnerable Driver” method is very effective because it uses a valid certificate to get high-privilege access to systems.

You can read more in this article on bleepingcomputer.com that shares precisely how attackers exploit these vulnerabilities and what you can do about it.

Takeaway: Pay attention to reports of known vulnerabilities in your software and systems. Always patch or keep systems updated and keep an eye out for any anomalies in your environment.

4. Phishing-as-a-Service (PhaaS) – Yes, it’s a thing

Phishing-as-a-Service allows new threat actors to get into the business of launching their own phishing attacks. They get templates, instructions, tools, and even a tracking dashboard for a monthly fee!

A new, specific PhaaS program called Caffeine targets phishing campaigns for Microsoft 365. It comes with advanced features for hackers to use to carry out their phishing attempts. More details can be found in this article on bleepingcomputer.com

Takeaway: Phishing is big business for hackers, so staying on top of their tactics is more critical now than ever.

Lastly, the Department of Health and Human Services (HHS) recently published a paper discussing how tools used to operate, maintain, and secure healthcare systems and networks can be turned against their infrastructure. You can access the paper here.

These are a few examples of cyber attackers advancing their tactics to fool us. For a deeper dive into other ways attackers can access your network and to understand what they do once they are there (hint: they are typically in your network for up to 197 days before they make themselves known) you can request access this 6-Part Training Series that covers threats from the attacker’s perspective and give tips for what you can do about it.

Laura Pursley is the marketing director at CloudWave.