This week’s first scam comes courtesy of the U.S. Postal Service. From an article online, “USPS® and the Postal Inspection Service are aware of the circulation of a fake email/email scam claiming to be from USPS officials including the Postmaster General.
Some postal customers are receiving bogus emails featuring the subject line, ‘Delivery Failure Notification.’ These emails appear to be from the U.S. Postal Service® and include language regarding an unsuccessful attempt to deliver a package. The email will prompt you to confirm your personal delivery information by clicking a button or downloading an attachment, that, when opened, can activate a virus and steal information —such as your usernames, passwords, and financial account information.”
British Telecom company Phishing Scam
Not to be outdone by the American postal system, British Telecom company (BT) was also the vehicle this week for a phishing scam. According to Hoax Slayer, “The email asks you to click a link to provide BT with updated billing information. To make it appear authentic, the email includes the BT logo along with seemingly legitimate footer information and help links. Despite its appearance, however, the email is not from BT. It is a phishing scam designed to steal your personal and financial information.”
Credit Card Companies Scam
Credit card companies were also used this week to launch phishing attacks. From Capital Journal, “The bad guys are sending a new attention-grabbing phishing email, and they’re targeting the customers of major credit card companies. The email appears to come from a well-known credit card company, usually American Express or Chase. The email includes a list of credit card transactions, and you are asked to confirm or deny whether the transactions are valid. If you click the ‘No, I do not recognize the transactions’ link, you are brought to a fake login page that looks very similar to the credit card company’s actual login page.”
Phishing Phrontier
Every now and then, hackers are so inept that you just have to laugh. From Naked Security comes the story of The Amazon Prime phishing attack that wasn’t… To make a long story short, the hackers sent out a phishing email pretending to be from Amazon. That seems pretty straightforward. The surprise came if you fell for the scam and clicked on the link.
According to the article, “instead of reaching a page that demanded our Amazon password, which is what we expected, we ended up at the crooks’ very own remote access backdoor [with] full remote access with no username or password needed.” Like I said, you have to laugh.
Smishing Campaign
It’s one of the worst ideas of all time: enabling hyperlinks in text messages. What could possibly go wrong? Phishing attacks known as smishing, that’s what.
From TechGenix, “Security researchers at Lookout recently published a report that details an extensive SMS phishing campaign. The SMS phishing campaign specifically targets users of mobile banking sites.” Bottom line: don’t ever visit your bank from a link inside a text message.
Body Count
A couple more healthcare organizations were hit with a phishing attack this week resulting in over 175,000 victims. First it was the Overland Medical Center & Clinics in Bellevue, Washington potentially exposing the PHI of 109,000 patients. “A review of the affected accounts revealed they contained patient names, addresses, telephone numbers, dates of birth, health insurance provider names, health insurance ID numbers, and diagnosis and treatment information related to the care provided at Overlake.” So, pretty much everything but social security numbers.
Next, Wise Health Systems in Decatur, Texas notified 66,834 patients that some of their PHI was potentially compromised in a phishing attack. “Out of an abundance of caution, affected patients have been offered credit monitoring, identity theft recovery, and identity theft insurance coverage through the ID Experts MyIDCare service for 12 to 24 months. Following the breach, Wise Health System implemented email security services to improve its cybersecurity posture.” Well I hope so.
DISA Breach
Even government agencies aren’t immune to data breaches, because, well, they have human beings working there also. According to SC Magazine, “The breach at one of the networks of the Defense Information Systems Agency (DISA), which secures communications for President Trump and military intelligence and other government officials, affected as many as 200,000 people, exposing their personal information, including Social Security numbers.” Ouch.
MGM Resorts Breach
This comes under the heading of “updated information.” We knew about the breach, we just didn’t know how widespread it was today. “MGM Resorts has confirmed there was unauthorized access to one of the company’s cloud servers in 2019 that contained information on a reported 10.6 million guests, possibly including several high-profile guests.” Ten point six million!
Maybe it’s time to do what Wise Health System did and implement measures to improve cybersecurity posture.
And that’s the week that was.