Hackers go phishing with Obamacare

Oct. 4, 2013
Cyber criminals waiting to pounce on unwitting victims

As required by the Affordable Care Act, the federal government on Tuesday rolled out its’ new online health insurance marketplace, HealthCare.gov, where citizens can go to select a health plan that best meets their needs. While the launch was marred by well-publicized glitches that prevented many people from signing up, there has also been little attention paid to some of the dangers lurking in cyberspace as it relates to Obamacare and how some hackers are already finding ways to take advantage of the health insurance mandate.

Just last week, it was revealed that hackers were recently able to gain access to personal information residing on databases maintained by LexisNexis, Dun & Bradstreet and Kroll Background America, which according to Stu Sjouwerman, founder and CEO of IT security awareness training firm KnowBe4, could be used to conduct targeted spear phishing attacks. In these attacks, criminals will spoof an email address pretending to be from a legitimate organization in an attempt to get users to click on a malicious link or unknowingly submit confidential data.

“Now you’re looking at those health exchanges that allow the bad guys to go for a highly-targeted spear phishing attack that you could essentially automate if you’re looking at large-scale organization,” Sjouwerman explained. “With their own data mining tools, they can now create a profile of an employee at let’s say, for example, Home Depot. You do a little bit of research on what health insurer Home Depot has, now you can create a highly-targeted spear phishing attack to a few key, often C-level employees, but not necessarily always. You can get in through the mail room as well.

“Let’s just assume that Home Depot has Aetna as their health insurer, so now the bad guys have the option to identify employees with more than two children and they can craft a spear phishing attack that comes directly to them – either from spoofed (email addresses within the company) related to their health insurance with a message crafted somewhere to the extent of, ‘with the new Affordable Healthcare Act, Aetna might not be the best health insurer for people with more than two kids, we recommend you go to this particular health insurance exchange to check out your options.’ They could do this for just a few (employees) or they could do scattershot or shotgun spear phishing and send them to as many email addresses that they can get their hands on.”

Due to the amount of confusion that exists within the populace regarding any type of new initiative like the online healthcare exchanges, Sjouwerman said that cyber criminals will always be waiting to lure in unsuspecting victims. “To the bad guys this is heaven,” he said. “There are dozens of scams already preying on people that are confused and want to know more, so it does provide a corporate risk and that’s just one. It’s not hard to come up with five more.”

There are several social engineering tactics that online criminals like to employ. One of the most popular, according to Sjouwerman is getting a user to avoid a negative consequence and could include emails with subject lines such as “if you don’t sign up for a new healthcare plan you’ll get fined” or “you need to comply with this new law.” While these types of scare tactics are usually aimed at home users, Sjouwerman said that they have also worked in corporate settings.

Although most organizations are aware of the threats posed by cyber crime and are doing the best they can within their existing budgets to fight back, Sjouwerman said that it’s simply not enough anymore.

“I do think, and I’ve been in IT for 34 years and the last 20 in IT security, that the ‘rule of thumb’ that you spend about six percent of your IT budget in security is going to come back and bite you in the ass. It needs to go up,” he added. “I would posit that most enterprises that currently do just once a year security awareness training – meaning stick them in the break room, coffee and donuts, death by PowerPoint – they are no longer scaling their security awareness to a point where it needs to be and it needs to be beefed up.

“So, point one is reevaluate your fixed six percent for security because it probably needs to be more like 10 or 12. Second, I would strongly recommend that (organizations) start to test their security awareness training. You cannot just train and then leave it be for awhile. These employees need to be tested constantly, so sending all of your employees two or three simulated phishing attacks per month is no luxury. This is something that you need these days.

In addition, Sjouwerman said that companies need to be aware of the legal consequences of not scaling up their security awareness training, especially in organizations where cyber safeguards are mandated by law. He also recommends designating someone within the company to stay on top of the latest threats.

“Make someone in your organization responsible to think like a hacker and have a continuing flow of alerts related to current events,” he said. “Go to each employee that warns you of scam attempts like this. As an example, a successful social engineering attack was, ‘the U.S. has started bombing Syria.’ That’s a current event-type thing that everybody is concerned about and that people will click on. Have someone think like a hacker, look at current events and anticipate the kind of attacks to keep an eye out for. It’s not hard to predict and send people regular alerts.”