Healthcare providers are being targeted by spammers using COVID-19 phishing campaigns, with the attack showing no sign of letting up. The volume of attacks has led to the U.S. Federal Bureau of Investigation (FBI) to release a further warning to healthcare providers urging them to take steps to safeguard their networks and prevent the attacks.

The first significant COVID-19 themed phishing attacks targeting healthcare providers began being detected by around March 18, 2020. The attacks have increased over the following weeks and the lures have diversified.

Campaigns have been carried out targeting at-home healthcare staff who are supplying telehealth services to patients, and there has been an increase in business email compromise campaigns. The latter see vendors impersonated and requests issued for early or out-of-band payments due to struggles that are being experienced due to COVID-19.

The phishing attacks are being run to obtain login details and to spread malware, both of which are used to gain a foothold in healthcare networks to allow follow-on system exploitation, persistence, and the stealing sensitive data.

The malware being shared in these campaigns is very varied and includes data stealers such as Lokibot, backdoors, and Trojans such as Trickbot. Microsoft has recently made revealed that hat Trickbot accounts for the majority of COVID-19 phishing emails targeting Office 365 users, with a campaign last week involving hundreds of different, unique macro-laced files. Along with being a dangerous malware variant in its own right, Trickbot also installs other malicious payloads, including RYUK ransomware.

A diverse variety of malware is sent by a similarly diverse range of email attachments and malicious scripts. Microsoft Word documents including malicious macros are typically used, as are 7-zip compressed files, Microsoft executables, and JavaScript and Visual Basic scripts. The emails are being shared via a combination of domestic and international IP addresses.

While the amount of COVID-19 themed phishing emails has been on the rise, the overall volume of phishing emails has not increased by a significant amount. What is happening is threat actors are changing their lures and are now using COVID-19 lures as they are more likely to be clicked on.

The campaigns can be highly very realistic. The lures and requests are believable, many of the emails are well written, and authorities on COVID-19 such as the Centers for Disease Control and Prevention, the HHS’ Centers for Medicare and Medicaid Services, and the World Health Organization have been tricked by this. In a lot of cases the emails are sent from a known individual and trusted contact, which makes it more probable that the email attachment will be opened.

The advice provided by the FBI is to follow cybersecurity best practices such as never clicking on unsolicited email attachments, regardless of who appears to have shared the email. Ensuring software is kept up to date and patches are applied quickly is also vital, as is disabling automatic email attachment downloads. The FBI has also recommended filtering out specific types of attachments using email security software, something that is easy to set up with SpamTitan.

The FBI has emphasised the importance of not opening email attachments, even if antivirus software indicates that the file is clean. As the Trickbot campaign shows, new strains of malicious documents and scripts are being created at an incredible rate, and signature-based detection methods cannot keep up with the pace. This is another area where SpamTitan can be of assistance. Along with using dual antivirus engines to detect known malware variants faster, SpamTitan includes sandboxing to identify and obstruct zero-day malware threats that have yet to have their signatures added to antivirus software virus definitions lists.

Training is crucial to show healthcare employees cybersecurity best practices to help them spot phishing emails, but it is also important to ensure that your technical controls are in a position to block these threats. For more guidance get in touch with TitanHQ now.