The United States Health Sector Cybersecurity Coordination Center (HC3) has warned the healthcare industry of a new monkeypox-themed malspam campaign targeting healthcare providers. According to the HC3, the campaign has a subject line of “Data from (Victim Organization Abbreviation): “Important read about -Monkey Pox– (Victim Organization) (Reference Number)” and utilizes an “Important read about Monkey Pox” theme. A PDF attachment to the email contains a malicious link that takes the user to a Lark Docs site. The website has a cloud-themed adobe doc and provides a secure Moneky Pox PDF download. The victim’s Outlook, O365, or Other Mail login credentials are attempted to be stolen by clicking on the download. The phishing attacks may have used business email compromises (BECs) of GPH-related and possibly non-HPH entities.
The most costly cybercrime in the present threat environment is BEC attacks. According to a report issued by the Federal Bureau of Investigation (FBI), 19,369 BEC complaints were filed in 2020, resulting in nearly $1.8 billion in losses. While BEC attacks are the most costly type of attacks, the healthcare industry is also severely impacted by traditional phishing attempts that use email or fraudulent websites. In the FBI’s Internet Crime Complaint Center (IC3), the FBI claim that phishing was the most often reported cybercrime in 2021.
The HC3 has advised a number of patches, mitigations, and workarounds that healthcare providers can take to help protect against this phishing campaign. Firstly, the HC3 recommends healthcare organizations to protect each account they have with complex and unique passwords. Healthcare organizations should utilize passphrases and a complex combination of letters, numbers, and symbols. Secondly, the HC3 recommends workforce members of healthcare organizations to avoid operating unsolicited emails from unrecognized senders. Furthermore, staff members should avoid opening a link or an attachment in an email unless there is complete confidence that it comes from a legitimate sender. Additionally, employees should not download or install programs if there is not complete trust in the developer and should avoid visiting unsafe websites that promise free programs that perform useful tasks. The HC3 has requested healthcare providers to contact them via their email should they have any additional questions relating to the monkeypox-themed phishing campaigns.