New phishing campaign targets hospitals for Outlook credentials

FP Staff • September 17, 2014, 14:13:17 IST

This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector, along with a trend of phishing for corporate Outlook credentials.

New phishing campaign targets hospitals for Outlook credentials

Websense ThreatSeeker Intelligence Cloudhas detected a phishing campaign that targets the healthcare sector – especiallyhospitals – phishing for Outlook credentials. This campaign is part of an ongoing trend of campaigns phishing for credentials of users from the healthcare sector, along with a trend of phishing for corporate Outlook credentials.

Gaining access to corporate Outlook credentials allows attackers to get a foothold in the victim’s organisation. This footholdallows them to search for other high-value targets, and thensend internal, legitimate-seeming emails toextract additional information andgetaccess to strategic infrastructure or data. It also allows attackers to leverage good reputation the compromised accounts might have to attack its contacts at other organisations.

Healthcare organisations, and hospitals in particular, have a wealth of patient records that are very valuable to cyber criminals,as discussed here.

Thephishing email seen below, with the title"Your Mailbox account closure.“is sent tousers, enticing them to click on a link.

Reviewing the email path, it appears that a compromised account was used to send this campaign. This suggests that the actors behind the campaigntry to spread laterally from one infected organisation to another, taking advantage ofthe reputation of affected organisations. It is especially interesting since the compromised account is also a healthcare provider, which is likely to already have a good reputation in the victim’s email protection systems. Thishelps tobypass any reputation-based defense.

If the user follows the link he is led to_webauthlineoutlweb.url.ph_where theyare presented with a legitimate-looking Outlook login page, which is used to steal credentials.

“A high-level look on the top 5 threats hosted on subdomains of “URL.PH” suggests it is becoming more popular in the last few months. Looking into the threats served by websites with the “URL.PH” top-level domain (TLD),we can see a diverse set of threats including Zeus and Citadel, as well asother types,” Websense said.