Hackers go phishing with Obamacare

Cyber criminals waiting to pounce on unwitting victims


As required by the Affordable Care Act, the federal government on Tuesday rolled out its’ new online health insurance marketplace, HealthCare.gov, where citizens can go to select a health plan that best meets their needs. While the launch was marred by well-publicized glitches that prevented many people from signing up, there has also been little attention paid to some of the dangers lurking in cyberspace as it relates to Obamacare and how some hackers are already finding ways to take advantage of the health insurance mandate.

Just last week, it was revealed that hackers were recently able to gain access to personal information residing on databases maintained by LexisNexis, Dun & Bradstreet and Kroll Background America, which according to Stu Sjouwerman, founder and CEO of IT security awareness training firm KnowBe4, could be used to conduct targeted spear phishing attacks. In these attacks, criminals will spoof an email address pretending to be from a legitimate organization in an attempt to get users to click on a malicious link or unknowingly submit confidential data.

“Now you’re looking at those health exchanges that allow the bad guys to go for a highly-targeted spear phishing attack that you could essentially automate if you’re looking at large-scale organization,” Sjouwerman explained. “With their own data mining tools, they can now create a profile of an employee at let’s say, for example, Home Depot. You do a little bit of research on what health insurer Home Depot has, now you can create a highly-targeted spear phishing attack to a few key, often C-level employees, but not necessarily always. You can get in through the mail room as well.

“Let’s just assume that Home Depot has Aetna as their health insurer, so now the bad guys have the option to identify employees with more than two children and they can craft a spear phishing attack that comes directly to them – either from spoofed (email addresses within the company) related to their health insurance with a message crafted somewhere to the extent of, ‘with the new Affordable Healthcare Act, Aetna might not be the best health insurer for people with more than two kids, we recommend you go to this particular health insurance exchange to check out your options.’ They could do this for just a few (employees) or they could do scattershot or shotgun spear phishing and send them to as many email addresses that they can get their hands on.”

Due to the amount of confusion that exists within the populace regarding any type of new initiative like the online healthcare exchanges, Sjouwerman said that cyber criminals will always be waiting to lure in unsuspecting victims. “To the bad guys this is heaven,” he said. “There are dozens of scams already preying on people that are confused and want to know more, so it does provide a corporate risk and that’s just one. It’s not hard to come up with five more.”

There are several social engineering tactics that online criminals like to employ. One of the most popular, according to Sjouwerman is getting a user to avoid a negative consequence and could include emails with subject lines such as “if you don’t sign up for a new healthcare plan you’ll get fined” or “you need to comply with this new law.” While these types of scare tactics are usually aimed at home users, Sjouwerman said that they have also worked in corporate settings.

Although most organizations are aware of the threats posed by cyber crime and are doing the best they can within their existing budgets to fight back, Sjouwerman said that it’s simply not enough anymore.

“I do think, and I’ve been in IT for 34 years and the last 20 in IT security, that the ‘rule of thumb’ that you spend about six percent of your IT budget in security is going to come back and bite you in the ass. It needs to go up,” he added. “I would posit that most enterprises that currently do just once a year security awareness training – meaning stick them in the break room, coffee and donuts, death by PowerPoint – they are no longer scaling their security awareness to a point where it needs to be and it needs to be beefed up.

This content continues onto the next page...