If you don’t believe that you could ever fall victim to a social engineering attack, take heed. Last week, a mobile healthcare application vendor reportedly fell victim to a scam that saw criminals send fraudulent mails to everyone in a director’s account.
Online criminals launched a cyberattack on healthcare app company Evergreen Life. Its app helps people log their own health information, taking in fitness, nutrition, and even DNA records. They can also connect to their GP, access their medical records, and book appointments. The app gives people a wellness score to help them assess the shape they’re in.
On Monday 21 October, the cybercriminals reportedly did their best to infiltrate Evergreen Life’s email systems using an age-old technique: phishing. They accessed the email of Dr Brian Fisher, the company’s clinical director. As a high-up executive in the company with a prominent industry profile, he has lots of contacts. The online crooks managed to send an email to all his contacts with this title:
Brian Fisher has shared a document with you via OneDrive for Business.
This was in the body:
Did you get the documents I sent you this morning? Find attached. I will await your feedback on the highlighted items.
The attackers apparently wanted to get his contacts to visit a dodgy website that had been registered the previous Friday. The site invited them to register their credentials in a classic phishing move.
Executives at the firm believe that the crooks wanted to install ransomware on its systems, but told The Register that the company spotted the problem before they could get a foothold.
Evergreen Life took a responsible approach to dealing with the problem, say reports, including proper segmentation of its different systems. Its patient-facing systems are not connected to its email system, it said. It also emailed all the recipients of the first mail warning them of the problem and urging them not to open the attachment, click on the link, or fill in their credentials on the site.
What were the attackers after? Login details for Office 365.
Here are some tips for staying out of trouble:
- Look out for obvious errors. Crooks are often careless with the emails they send, and numerous grammatical and typographic errors are a big giveaway.
- Check your address bar. If a web address is too long to fit cleanly into the address bar of your browser, take the trouble to scroll rightwards in the address text to find the right-hand end.
- Consider using a password manager. Good password managers associate usernames and passwords with already-known login pages, so your password manager wouldn’t offer to fill in an unexpected password field on an unknown web domain – it simply wouldn’t know what account to use.
- Never login via email links. If you need to login to a site such as Office 365, find your own way there, for example via a bookmark you created earlier, or by using the official mobile app. That way, you’ll avoid putting your real password into the wrong site.
And a bonus tip if you’re looking after other users…
- Make sure your users are clued up. Phishing emails like this one are easy to fall for because of their elegant simplicity. Sophos Phish Threat lets you train and test your users using realistic but safe phishing simulations.