In May of 2021, an attack on the Colonial Pipeline led to a shutdown of the largest gas pipeline in the United States. Panic buying caused widespread gasoline shortages across many of the southern states. This was the largest and most damaging attack on the United State’s energy sector. However, this type of attack has happened to many hospitals and medical practices across the world. In fact, at the time of writing, the entire national health system for Ireland was forced to shut down to get rid of ransomware on their own network.

The Colonial Pipeline attack was a ransomware attack and the company ended up paying over $5 million to get the key to decrypt their data. However, ransomware was only installed AFTER the attackers had made it inside the network. How did they get in in the first place? At this time, it is widely believed to have been a phishing attack. Phishing is the most common way attackers gain access to a network, by far. And they do it with your help.

What is phishing?

Phishing is when an attacker sends you an email pretending to be someone you know or a service you are familiar with (like Amazon, Facebook, etc.) for the purposes of getting you to either click on a link or an attachment.

Attackers will try hard to make these emails look as legitimate as possible in an effort to coax you into clicking on their links. However, a lot of times, the attackers are lazy, or English isn’t their first language so there are a lot of errors in the email itself.

If an attacker crafts an email that is focused on you, we call this spearphishing. They may use information that only you would know or even send it from a hacked account of a person you may know. This is a common tactic. Once an attacker has gained access to one account, they will send emails out to everyone in the victim’s address book pretending to be them. At this point, the email is as legitimate as it possibly can be since the source is the actual email account of the victim. However, if you’re careful, you can still spot these phony emails as well.

Phishing is hard to spot, but there are tells

The picture below is an actual message I received. This attack was harder to detect because the domain for the email address was a real domain (nansinco-jp.com). At the time when I recvceived this message, if you went to that domain, it showed a real company.

But notice when you go to the actual site, the domain is nansin.co.jp. This is because the attacker registered the domain of nansinco-jp.com and forwarded it to the website of the real company. However, he would still be able to receive an email at his fake domain.

After some investigation, I found that this fake domain had been registered in December of 2020 while the real company had been around since 2008. That is also a good way to know that this was fake.

The easiest way to know if an email is legitimate is to check the link they want you to click on. Use your mouse to hover over the link in the email. Look at the bottom of your email software and you should see the real link. In the email, it may say, Amazon Shipment Status but when you hover over the link, the URL may be something completely different. But be careful, often attackers will set up domains that resemble famous domains. Here are some examples:

Real Doman:                                                            Fake Domain:

amazon.com                                                              amaz0n.com

facebook.com                                                            faceb00k.com

linkedin.com                                                              linkedin.linked.com

One thing to watch for is that the part right before the .com is the most important. You might see linkedin.fake.com The fake is the part you need to pay attention to, not the linkedin part.

If you do click on a link and see a login screen, don’t type your real username and password. Instead, type in any email address and a random password. If the site let’s you access it, then you know it isn’t legitimate.

If it is an attachment, always err on the side of caution: don’t click it. Call the person and ask if they sent you something you need to click on. If the file is an EXE file (file.exe), NEVER click on it. Don’t email the person and ask. I have seen cases where an attacker had hacked a physician. They were in the provider’s webmail account. When the person they had sent a phishing email to emailed back to see if this was legitimate, they simply replied using the doctor’s account and said yes it is good to go.

Healthcare is at risk

Healthcare, after defense companies, is the largest target group for attackers. They know that if they can get ransomware into medical practice or hospital, the chances of getting payment are very high. On top of that, they can steal patient records and sell them online even if the practice pays the ransom. So they are getting paid twice for every attack. It is up to every person working around patient data to their part to protect it. Not only is it federal law (HIPAA regulations), it is the right thing to do to protect patient privacy. Keep in mind that you are also a patient of some other doctor. You would want that practice to protect your data as well.