An Open Enrollment Reminder – Phishers Want Your HSA Money!

As the end of the year approaches, many companies are communicating with their employees about benefits and Health Savings Accounts via email. Criminals realize this and have decided to get in on the action!  More consumers than ever are using HSAs as a way to save pre-tax income for future medical expenses. A report released by Devenir Research shared that, as of August 2016, 18.2 million HSA accounts currently hold $34.7 billion in assets – a 22% growth over 2015, and projects that by the end of 2018, more than $50 billion will be on deposit in HSA accounts. That’s a tempting target for criminals, and, due to the increase in HSA-related emails, they are ready to use email-based phishing attacks to try to steal your account credentials.

HSA Phishing Attacks

PhishMe has observed a large spike in phishing traffic targeting HSA account userIDs and passwords, starting November 11, 2016, and continuing through today. More than seventy distinct phishing attacks have been observed since that date, targeting Health Savings Accounts at Optum Bank and Fidelity. Fortunately, both of these organizations have been very responsible with their response to phishing and have provided additional information to help protect their customers.

The most prominent Optum phishing attack we are seeing directs the user to a page that looks like this:

hsablog-1Optum customers are encouraged to familiarize themselves with the actual look of their HSA login page and, most importantly, to pay attention to the URL. In the phishing URLs reviewed by PhishMe, the website did not belong to Optum and in some cases didn’t even attempt to pretend to be Optum. The phishers know that most users do not look at the URL of each website they visit. Following are a few example URLs that users clicked on, thinking they were accessing their HSA:

  • twistshop.me/myuhcfinancial/optum/
  • opthsa.com/optumhealthfinancial/optum/
  • megaleft.com/optumhealth/optum/

OPTUM Financial Services provides great information about how to protect your account on this Account Security web page: www.optumhealthfinancial.com/protect-account.html. They encourage account holders who may have clicked a link or opened an attachment to call them, or, if you have NOT clicked the link or opened the attachment, to forward the email to assetprotection@optum.com.  Their account protection web page also provides a sample phishing email that may be similar to one you may receive.

PhishMe is also observing a large increase in phishing attacks imitating the Fidelity Health Savings Account. As with the Optum phish, the key to detecting these phishing web sites is inspection of the URL. In the example below, the web page looks very convincing, but the URL contains the domain name shoe-etc.com which is certainly not Fidelity’s main login page for HSA accounts!

Some of the suspicious URLs we’ve seen for Fidelity’s HSA accounts include the following:

  • myhrsa.com/mynetbenefit.fidelity/fidelity/
  • fidelitynetbenefit.shoe-etc.com/fidelity/
  • securemynb.fidelity.opthsa.com/fidelity/
  • ubs-money.com/netbenefitsfidelity/fidelity/

Fidelity also has a very helpful web page for letting its customers know about possible security problems. Suspicious emails that you receive can be sent to phishing@fidelity.com, and the Report an Online Security Issue web page at https://www.fidelity.com/security/report-an-issue  has telephone numbers and additional tips related to phishing.

And Malware, Too!

The PhishMe Intelligence team has also recorded health insurance social engineering attacks that delivered malware via spam messages. The most blatant of these was a high volume spam campaign observed on November 7, 2016.  Using the email subject line: Health Insurance, the email body read as follows:

The email attachment contained a zip file that used the word insurance and some random numbers as its name, such as:

  • insurance_39017dc45.zip
  • insurance_95341063.zip
  • insurance_bc9ebb1f.zip

These .zip files contained hostile JavaScript code for downloading and executing the Locky ransomware. Locky can encrypt all files on both your local machine and network drives, and these files can only be decrypted by paying a ransom to the criminal.

Conclusion

During this time when the corporate emails are likely to be full of reminders about Open Enrollment and Health Savings Accounts, regarding both spending your remaining balance and setting up the account for next year, be sure to not let the pressure prevent you from being cautious! As our friends at the Anti-Phishing Working Group like to say – Stop. Think. Connect.

Be sure to share this warning with your friends, and consider sharing it with your HR department as well.

Ransomware made up 97% of phishing emails so far in 2016, what about the rest? Learn more in our latest Q3 Malware Review.

Cyber Crime: The Unreported Offense

On July 22, 2016 the UK’s Office for National Statistics released crime details for the year ending March 2016.  For the first time, this data included information about fraud and computer misuse offenses, which was compiled in the National Crime Survey for the first time in October 2015. While the police recorded 4.5 million offenses from March 2015 to March 2016, the survey indicates there were likely 3.8 million fraud instances and 2 million computer misuse instances during that same year, with the vast majority of these crimes being unreported to law enforcement.  The report has caused for a new call for additional cyber crime reporting at all levels.  In the UK, consumers and businesses alike are encouraged to submit suspicious activities and cases of loss to ActionFraud: the National Fraud & Cyber Crime Reporting Center.  ActionFraud also offers a Business Reporting Tool for bulk submissions by businesses of both fraud and scam emails.*

Earlier in July, the UK’s National Crime Agency also released their report “Cyber Crime Assessment 2016.”   The primary point made by the NCA report is the “need for a stronger law enforcement and business partnership to fight cyber crime.”

NCA Cyber Crime Assessment 2016The NCA report called special attention to the sophisticated abilities of international crime groups, making them “the most competent and dangerous cyber criminals targeting UK businesses.”  These groups are behind the most sophisticated financial crimes malware.

“This malware is a substantial source of financial crime in the UK, with three variants: DRIDEX, NEVERQUEST and DYRE /DYREZA, appearing frequently and responsible for many hundreds of thousands of individual crimes in 2015.”

The report also highlights the danger of ransomware and Distributed Denial of Service (DDoS) attacks.

While arrests were made in the DRIDEX case, the same botnet is now the leading source of the Locky ransomware family, the focus of more than 50 PhishMe Intelligence reports in the past month alone!

Statements made in March by Sir Bernard Hogan-Howe, the police commissioner of the Metropolitan Police of London, received mixed reviews when he said that banks that refunded their customers after cyber incidents were “rewarding them for bad behavior” instead of teaching them to be safer online.  The GCHQ suggested that 80% of consumer-facing cyber crime could be stopped just by choosing safer passwords and keeping one’s systems updated with current security patches.

The NCA report points out, however, that it isn’t just consumers who are not pulling their weight in the fight against cyber crime.  Businesses also have a responsibility to do more.   The report urges corporate board of directors to make sure that their information technology teams are not merely checking the boxes required of compliance regulations, but taking an active role in assisting the cause by ensuring that their businesses are reporting cyber crime incidents.  As widely seen in the United States, one may be compliant with PCI, Sarbanes Oxley, HIPAA, and other regulatory standards yet still be extremely vulnerable to the type of sophisticated cyber attacks presented by these sophisticated international crime groups.Moving beyond Box-Ticking cyber security

“Directors also have an important role in addressing the under-reporting of cyber crime which continues to obscure the full understanding of, and hence responses to, cyber crime in the UK. In particular, we urge businesses to report when they are victims of cyber crime and to share more intelligence, both with law enforcement and with each other.”

– NCA Strategic Cyber Industry Group

Dridex, NeverQuest, Dyre, Ransomware – Meet PhishMe Reporter & Triage

At PhishMe, we are intimately familiar with the prevalence of the malware families discussed in the UK government’s reports.  We provide detailed intelligence reports to our customers about all of those malware families, which are among the most common email-based threats that we encounter as we scrub through millions of each emails each day to identify the greatest threats and get human-driven analysis about those threats back out to our customers.

We support the security strategy and defense posture recommended by the NCA Strategic Cyber Industry Group.  Our industry must move from reactive, check-box security mentality to a proactive method of gathering and analyzing security incident reporting.  PhishMe customers not only have the ability for every employee to become part of the solution to “under-reporting” with a click of the mouse on the “Report Phishing” button, but also to share that information back to PhishMe to allow us to provide indicators that help protect ALL customers and to help inform our law enforcement partners.

PhishMe Reporter

The PhishMe Reporter Button

PhishMe Triage provides a single place for all of those employee reports to be integrated, if your business would like to answer the call to do more information sharing about these top malicious threats. By providing a dashboard-driven interface to all employee-reported malicious emails, the security team can quickly spot the most dangerous trends, confirm the facts, and report to law enforcement, as recommended in the UK’s National Crime Agency report.

In addition, PhishMe Intelligence customers received over 2,500 malware email campaign reports in addition to more than 600,000 individual phishing reports that can be used as an intelligence feed to strengthen your corporate defenses against these malicious actors.

We look forward to partnering with our UK-customers, and all of our customers, who choose to take an active stance in the fight against cyber crime by answering the call for increased vigilance and reporting.

 

* – U.S. businesses are encouraged to report cyber crime and fraud to the FBI’s Internet Crime & Complaint Center, IC3.gov.

 

Reality-checking Mr.Robot Ransomware

WARNING: MAJOR SPOILER ALERT!

USA Network’s television show, Mr.Robot, kicked off Season 2 with a BANG!   The program features the exploits of a hacker named Elliot Alderson (Rami Malek) who uses the alias “Mr.Robot” to work with a team of hackers who call themselves F-Society and have as their mission the destruction of a major corporation that they call “Evil Corp,” whose logo calls back to the Big Corporate Corruption of Enron. In this episode, the attack is against the “Bank of E.”

University W2 Phishing and CEO Impersonation

At PhishMe we talk frequently about a familiar concept that cyber attacks and phishing emails are very rarely sent to only one organization. While  security teams tend to focus on threats to your organization, PhishMe Intelligence is watching for email-based threats for EVERY organization. As we were gathering information about tax-related phishing scams this year, we noticed that institutes of higher learning were being hit quite broadly by this year’s W2 related scams.