FBI Warns About COVID-19 Cyberattacks and Healthcare Providers Targeted by Individuals Posing as OCR Investigators

The Federal Bureau of Investigation (FBI) has issued a fresh warning about the use of the 2019 Novel Coronavirus pandemic and COVID-19 crisis by cybercriminals to steal money, obtain sensitive information, and distribute malware.

Several phishing and malware-distribution campaigns have been identified since January that use COVID-19 and the 2019 Novel Coronavirus as a lure to get individuals to divulge sensitive information and download malicious files. The FBI anticipates these COVID-19 related cyberattacks will increase as the COVID-19 crisis deepens.

Some of the campaigns identified so far include emails impersonating the World Health Organization and the Centers for Disease Control and Prevention (CDC) offering advice about the 2019 Novel Coronavirus and COVID-19 to prevent infection, information about local cases, and some emails claim to offer advice about potential cures and new vaccines. The emails include malicious email attachments containing malware downloaders and hyperlinks to phishing and malware distribution websites.

Many phishing campaigns have been detected that request fraudulent charitable donations, offer financial relief and refunds for flights by airline carriers, and there is a growing number of emails offering fake testing kits, fake medications, and counterfeit personal protective equipment (PPE) and sanitizing products.

The latest FBI alert, issued on April 1, 2020, concerns the exploitation of virtual environments used by government entities and public and private sector organizations to support communication services for telework and education. Vulnerabilities in computer systems used to support remote workers, such as virtual private networks (VPNs) and telehealth software such as videoconferencing solutions, are being exploited to gain access to business networks to steal sensitive information and conduct malware and ransomware attacks.

Emails have been identified offering free or low-cost telehealth software. Several malware samples have been identified that masquerade as installers of Zoom and other teleconferencing software and communication tools, cloud-based communication solutions, and VOIP software. To support the massive increase in remote workers, many businesses are sourcing laptop computers and other portable electronic devices from foreign suppliers and other sources. The FBI warns that devices from overseas and previously used devices carry a risk of having preinstalled malware.

Organizations should also be aware of the threat of business email compromise (BEC) attacks that request changes to bank account details for payroll and wire transfers. Several attacks have been reported to the FBI’s Internet Crime Compliant Center that involved requests for out-of-band payments due to the COVID-19 crisis. These BEC attacks usually occur via email using a spoofed email account or a genuine email account that has been compromised by the scammer.

Beware of Individuals Posing as OCR Investigators to Obtain PHI

The HHS’ Office for Civil Rights has issued a warning to healthcare providers about individuals posing as OCR investigators during the COVID-19 pandemic to trick healthcare employees into disclosing protected health information. These attempts to obtain PHI are made over the telephone rather than email. Individuals call the healthcare provider, identify themselves as an OCR investigator, and request protected health information. The callers provide no information to allow their identity to be verified and OCR compliant transaction numbers are not provided.

OCR has advised healthcare providers to send an alert to all members of the workforce explaining that these telephone phishing attacks are occurring and to instruct them to verify the identity of the caller by asking for their email address and to ask for a request for PHI to be confirmed in writing, from the caller’s official hhs.gov email account. The confirmation should include the caller’s name, job title, HHS department, and a transaction number.

Healthcare providers should still exercise caution should such an email be received, as it is possible to spoof email addresses. They should ensure that the email has actually been sent from a hhs.gov email address and if in any doubt about the validity of a request, the message should be forwarded to [email protected] Any cases of individuals posing as federal law enforcement officers or OCR employees should be reported to the FBI.