Security pros help HHS fix a website flaw that exposed visitors to malware

Transmission electron microscopic image of an isolate from the first U.S. case of COVID-19 (Centers for Disease Control and Prevention).


Written by

As if the Department of Health and Human Services didn’t have enough to deal with during the coronavirus pandemic, hackers were trying to redirect people from a department website to a malicious domain designed to steal their data.

By sending phishing messages that routed recipients from a Health and Human Services website to a malicious one, scammers tried compromising people with malware known for capturing credit card data and email credentials. The activity coincided with a surge in attention toward the department, as Americans seek guidance amid the COVID-19 outbreak.

The malicious “redirect,” as the trick is called, appears to no longer work after a group of volunteer cybersecurity experts worked with HHS to address it. It is unclear how many devices, if any, were compromised as a result of the activity. It was only the latest effort by digital miscreants to capitalize on international concerns about the pandemic.

“The believability that it is actually coming through HHS makes a phishing campaign more likely to be successful,” said Dave Kennedy, founder of the security vendor TrustedSec.

The malware, dubbed Raccoon, has been popular on the criminal underground and last year infected devices across Asia, Europe, and North America, according to security firm Cybereason. “Raccoon follows a malware-as-a-service model, allowing individuals a quick-and-easy way to make money stealing sensitive data without a huge personal investment or technical know-how,” the firm wrote in an October 2019 analysis.

An HHS spokesperson said the department, and its inspector general, were investigating the matter. The Department of Homeland Security also helped the investigation, an official said.

The issue gained traction on Monday after a tweet from an anonymous cybersecurity researcher who goes by @SecSome on Twitter.

The researcher, who declined to be named, said they discovered the hacking attempt in a phishing email. A screenshot of the phishing email includes a link that appears to connect to an HHS contracting site, but actually sends the user to a malicious site unaffiliated with the department.

A screenshot of the phishing email, with a link to an HHS website (courtesy @SecSome)

The response to the vulnerability highlighted the work of a fledging group of cybersecurity professionals who are volunteering their time to protect health care organizations during the COVID-19 crisis. The researchers, employed by well-known cybersecurity companies, are sending threat data to vulnerable organizations amid a swell in COVID-19 related phishing against multiple sectors.

-In this Story-

coronavirus, cybercrime, Department of Health and Human Services (HHS), health care, phishing