Malicious Emailers Find Healthcare Firms Juicy Prey

Healthcare providers have garnered growing interest from hackers in recent months. More evidence of that trend appeared last week in a report on email trust.

An email that appeared to come from a healthcare company was four times more likely to be fraudulent than an email purportedly from a social media company like Facebook, which is one of the largest creators of email on the Internet,Agari found.

The report gives industries a TrustScore — that is, a number that reflects the trustworthiness of email from companies within that industry group. With zero being untrustworthy and 100 being very trustworthy, the healthcare industry scored a very low 17. Nearly 30 percent of healthcare companies surveyed for the report received TrustScores of zero.

“What’s happened recently is that criminals have realized that there is gold in healthcare records,” said Agari founder and CEO Patrick Peterson.

Criminals have been honing their cyberweapons for 20 years trying to break into banks and financial institutions, he noted.

“Now they’ve turned those weapons on the healthcare industry, which is years behind the financial industry in battling digital crime,” Peterson told TechNewsWorld.

Low-Hanging Fruit

Data thieves are emboldened by events like the Anthem breach earlier this month, in which sensitive data on 80 million of the healthcare provider’s customers was stolen.

“As the criminals see successes like Anthem, they’re doubling down, and healthcare is finding itself ill-prepared for the war being waged on them,” Peterson said.

That’s not to say criminals have given up on masquerading as banks in malicious email ruses. In fact, electronic correspondence that appears to come from a mega U.S. bank is 15 times as likely to be fraudulent as that from a social media company.

Overall, the major social media companies — Twitter, Facebook, Google+ and LinkedIn — scored more than 75 on the TrustScore scale. They haven’t always enjoyed a good safety record, however.

“Twitter, Facebook and LinkedIn used to see days when each saw 100 million malicious emails sent purporting to be from them,” Peterson said.

“In 2010, 11 and 12, a huge focus of criminals was the social networks. The reason they’re not any more is they were pioneers in protecting their customers,” he pointed out.

“When the criminals found their attacks weren’t successful anymore, they went off to lower-hanging fruit, like healthcare,” said Peterson.

Flaws in Top Programs

Some 1,357 new vulnerabilities were found in the top 20 software programs over a three-month period ending in January, Secunia reported last week.

“That’s fairly high,” said Kasper Lindgaard, director of security and research at Secunia.

The vendor with the most vulnerabilities during the period was IBM. In December alone, its X.Org Xserver software had 152 vulnerabilities. IBM’s poor showing was due in part to the way it packages its software.

“IBM bundles third-party libraries in its applications,” Lindgaard told TechNewsWorld, “so when there’s a vulnerability in the third-party application, IBM has to patch that vulnerability in its own application.”

That can make IBM code look more flawed than it really it.

Secunia applauded Google’s decision to modify its Project Zero program by allowing a two-week grace period after an initial period of 90 days for patching vulnerabilities found in other people’s software.

“Only hackers gained from Google indiscriminately disclosing vulnerabilities just a few days before the vendor disclosed it with an available patch,” the report notes.

Lenovo Spyware

Lenovo found itself in a cauldron of controversy last week when reports began appearing about its practice of preloading an adware program called “Superfish” on some of its laptops.

Superfish circumvents SSL, a protocol used to encrypt communication between a device and an Internet site. Superfish substitutes its own digital certificates for those used by destination sites, arguably making a user’s computer vulnerable to hack attacks.

“In a day and age where corporate breaches are increasing, we should be seeking ways to limit our exposure, not preinstalling software that can create an attack vector,” iSheriff Senior Product Manager Mark Parker told TechNewsWorld.

While the practice of preloading third-party software isn’t about to go away, there’s a right way and wrong way to do it, noted Adam Ely, cofounder of Bluebox.

“Preinstalling software is not always bad, but when it compromises the owner’s privacy and security, it is always unacceptable,” he told TechNewsWorld.

“When Sony BMG exploited computers using a rootkit in an attempt to protect their music from being pirated, they dismissed the owners’ rights, privacy and security for their own needs,” Ely said.

“Superfish is even worse, as it’s designed to break the security and trust model of Web browsers to inject advertisements,” he continued. “This allows other attackers and malware to take advantage of this violation, exploiting users, compromising systems, and stealing user’s data.”

Breach Diary

  • Feb. 16. Kaspersky Lab reports it has found computers in 30 countries carrying espionage software that can infect the firmware in computer hard drives and allow government spooks to monitor almost any computer in the world.
  • Feb. 17. Vladimir Drinkman, 34, pleads not guilty to all charges stemming from his alleged role in a global hacking scheme that federal authorities estimate compromised 160 million credit and debit card numbers. Targets of scheme included Nasdaq, Dow Jones and JetBlue.
  • Feb. 17. Gemalto reports 49 percent year-over-year increase in data breach incidents, to 1,541. It also reports more than 1 billion records were breached, an increase of 78 percent over 2013.
  • Feb. 17. Connecticut Senate Democratic leaders file legislation to requre insurance companies operating in their state to encrypt all personal information records stored and transmitted by the insurers.
  • Feb. 18. Universty of Maine discloses one of its laptop computers and a media card used by a faculty member were stolen from a checked bag on an airline flight potentially exposing the personal information of 941 students enrolled in physics courses dating to 1999.
  • Feb. 18. Weitz & Luxenberg files class action lawsuit against Anthem over data breach earlier this month compromising private information of 80 million customers.
  • Feb. 18. Alex Yucel, 24, pleads guilty in Manhattan federal court for his part in creating Blackshades, a malware program designed to remotely steal files and other data. It’s estimated that the program infected more than 500,000 computers.
  • Feb. 20. The Intercept reports U.S. and UK intelligence agencies stole encryption keys for SIM cards made by Gemalto in order to monitor mobile communications without approval of carriers or governments. Gemalto makes about 2 billion SIM cards a year for about 450 mobile carriers, including AT&T, T-Mobile and Verizon.
  • Feb. 20. Community Health Systems reports year-over-year decline in net revenue of 35 percent, to US$92 million from $141 million. In August 2014, hackers stole the nonmedical data of 4.5 million patients.

Upcoming Security Events

  • Feb. 26. Privileged Account Exploits Shift the Front Lines of Cyber Security. 2 p.m. ET. CyberArk Webinar. Free with registration.
  • Feb. 26. Rethinking IT Security: Fighting Known, Unknown, and Advanced Threats. 2 p.m. ET. Kaspersky webinar. Free with registration.
  • Feb. 26. How to Keep Your Company Safe & Out of the Headline. 1 p.m. ET. Dark Reading webinar. Free with registration.
  • March 4-5. SecureWorld Boston. Hynes Convention Center. Open sessions pass: $25; conference pass: $175; SecureWorld plus training: $545.
  • March 11. Intelligence Squared U.S. Debates: The U.S. Should Adopt The “Right To Be Forgotten” Online. 6:45 p.m. Merkin Concert Hall, Goodman House, 129 W. 67th Street, New York City. Tickets: $40; student, $12.
  • March 12. B-Sides Ljubljana. Poligon Creative Centre, Tobačna ulica 5, Ljubljana, Slovenia. Free.
  • March 12-13. B-Sides Austin. WinGate Williamson Conference Center, Round Rock, Texas. Fee: $15/day.
  • March 14. B-Sides Atlanta. Atlanta Tech Village, 3423 Piedmont Rd. NE, Atlanta. Free.
  • March 16-17. B-Sides Vancouver. The Imperial Vancouver, 319 Main St., Vancouver, BC, Canada. Tickets (before March 1): supporter CA$25, plus $2.49 fee; professional $55, plus $4.29 fee; VIP $125 plus $8.49 fee.
  • March 18-19. SecureWorld Philadelphia. DoubleTree by Hilton Hotel, Valley Forge, Pennsylvania. Open sessions pass: US$25; conference pass: $295; SecureWorld plus training: $695.
  • March 20-21. B-Sides Salt Lake City. Sheraton Salt Lake City Hotel, Salt Lake City, Utah. Registration: before March 20, $40; $50 at the door.
  • March 24-27. Black Hat Asia 2015. Marina Bay Sands, Singapore. Registration: before Jan. 24, $999; before March 21, $1,200; after March 20, $1,400.
  • April 1. SecureWorld Kansas City. Kansas City Convention Center, 301 West 13th Street #100, Kansas City, Missouri. Registration: open sessions pass, $25; conference pass, $75; SecureWorld plus training, $545.
  • April 20-24. RSA USA 2015. Moscone Center, San Francisco. Registration: before March 21, $1,895; after March 20, $2,295; after April 17, $2,595.
  • June 8-11. Gartner Security & Risk Management Summit. Gaylord National, 201 Waterfront St., National Harbor, Maryland. Registration: before April 11, $2,795; after April 10, standard $2,995, public sector $2,595.

John Mello is a freelance technology writer and contributor to Chief Security Officer magazine. You can connect with him on Google+.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by John P. Mello Jr.
More in Cybersecurity

Technewsworld Channels