This is how far phishers will go to make you click on a bogus link

The anatomy of a phishing attack: how cybercriminals are targeting hospitals to steal data.
Written by Danny Palmer, Senior Writer

Targeting a hospital can provide a hacker with plenty of data to sell on for cash.

Image: iStock

Hospitals might not be such an obvious target for hackers as banks, but cybercriminals are using an array of attacks -- from the simple to the extremely sophisticated -- in an attempt to breach the defences of healthcare providers.

While some hackers are using system-locking ransomware to make a quick buck out of hospitals -- those who targeted a Hollywood hospital this way walked away with $17,000 in exchange for unecrypting systems -- there are other cybercrminals who are highly aware how these institutions means they retain huge amounts of personal data, which can be stolen and exploited to turn a profit.

In the UK around 60 percent of emails from outside the NHS are blocked by filters, because they're identified as phishing attempts with the likely goal of delivering Trojans, spyware, ransomware, and other malicious software to the network.

But that doesn't stop every attack. At the recent UK Health Expo, Rob Shaw, chief operating officer and senior information risk owner at NHS Digital, discussed one incident that showed the sophistication of some attacks.

Shaw detailed how one particular employee fell victim to one of these attacks and that nobody knew it had happened until two weeks after the initial intrusion.

Attackers first searched for their intended victim on LinkedIn and were able to see information including where they went to school. From there, the attackers were able to look at the school's website, which identified the victim as a past captain of the rugby team. Using that extra information, the attacker did some additional research and found out the name of the rugby team's vice captain.

They then used this in order to build a convincing looking email: one spoofing a genuine-looking email address from the old team-mate, and which referred to the victim by name. The email claimed to come with an old rugby team photo of the two in an attachment.

When the victim clicked on the attachment, a dialogue box popped up and eager to see what's actually a non-existent photo they selected 'OK'. In doing so they enabled the attacker to gain control of the PC via the use of Trojan spyware, which then went unnoticed for two weeks while it spied on the network and gathered data.

It might sound like a sophisticated attack method to some, but the fact is phishing attacks of this kind are relatively simple to carry out and anyone with some smarts and time -- and the desire to make you a victim -- could carry it out.

"That's not state-sponsored, that's not the Chinese or Russians, that's just someone being quite clever and getting hold of credentials," says Shaw, adding "and the fact it took us two weeks to find out shows how easy it is to get things through".

Education is a key requirement in fighting this sort of attack, as the threat could be reduced by suggesting employees should be more cautious online and by warning them that they should be wary of strange or unexpected emails.

"Your information has a high intrinsic value. Forget about whether it's a threat to somebody's life, forget whether if they bring down the system they could shut down life support systems; that's not an issue to them. What's an issue is how they can generate money out of your data, even if it's just selling it on," said Steve Mulhearn, director of enhanced technologies at cybersecurity firm Fortinet.

However, there's another factor which puts hospitals -- both within the NHS and around the world -- at risk and that's the reliance on legacy systems.

Mainstream support for Windows XP ended in April 2009 while extended support for it in organisations like hospitals ended in April 2014. That means there are systems inside hospitals running on an operating system which hasn't received security updates for over two years.

Shaw detailed how 15 percent of NHS systems still run on Windows XP and if those machines could be identified by outsiders, they're very much a huge security hole within the network. Unfortunately, the bespoke nature of many of these devices means that they're not easy to update.

"It's not simple; I can't go to Microsoft and say, 'here's pile of cash, just put everyone on Windows 10'. Because a lot of this software has been specially written and has been used to treat patients, so unless you rewrite the software you can't migrate it across, so we've got to look at how to manage it," said Shaw.

However, there's an even bigger issue to contend: one of the reasons some of this hardware is still running Windows XP is because it just can't support Windows 10, or even Windows 7, which accounts for 83 percent of NHS systems. Budget cuts and strains on finances mean hospitals can't afford to replace these devices, some of which still perform vital services. So what's the answer?

"Take it off the network. Lock it down and ensure only the people who need access to it get access to it," said Shaw.

Read more on cybercrime

Editorial standards