Advertisement

Security pros help HHS fix a website flaw that exposed visitors to malware

The issue risked exposing people to malware used to steal credit card information and email credentials.
Transmission electron microscopic image of an isolate from the first U.S. case of COVID-19 (Centers for Disease Control and Prevention).

As if the Department of Health and Human Services didn’t have enough to deal with during the coronavirus pandemic, hackers were trying to redirect people from a department website to a malicious domain designed to steal their data.

By sending phishing messages that routed recipients from a Health and Human Services website to a malicious one, scammers tried compromising people with malware known for capturing credit card data and email credentials. The activity coincided with a surge in attention toward the department, as Americans seek guidance amid the COVID-19 outbreak.

The malicious “redirect,” as the trick is called, appears to no longer work after a group of volunteer cybersecurity experts worked with HHS to address it. It is unclear how many devices, if any, were compromised as a result of the activity. It was only the latest effort by digital miscreants to capitalize on international concerns about the pandemic.

“The believability that it is actually coming through HHS makes a phishing campaign more likely to be successful,” said Dave Kennedy, founder of the security vendor TrustedSec.

Advertisement

The malware, dubbed Raccoon, has been popular on the criminal underground and last year infected devices across Asia, Europe, and North America, according to security firm Cybereason. “Raccoon follows a malware-as-a-service model, allowing individuals a quick-and-easy way to make money stealing sensitive data without a huge personal investment or technical know-how,” the firm wrote in an October 2019 analysis.

An HHS spokesperson said the department, and its inspector general, were investigating the matter. The Department of Homeland Security also helped the investigation, an official said.

The issue gained traction on Monday after a tweet from an anonymous cybersecurity researcher who goes by @SecSome on Twitter.

The researcher, who declined to be named, said they discovered the hacking attempt in a phishing email. A screenshot of the phishing email includes a link that appears to connect to an HHS contracting site, but actually sends the user to a malicious site unaffiliated with the department.

A screenshot of the phishing email, with a link to an HHS website (courtesy @SecSome)

Advertisement

The response to the vulnerability highlighted the work of a fledging group of cybersecurity professionals who are volunteering their time to protect health care organizations during the COVID-19 crisis. The researchers, employed by well-known cybersecurity companies, are sending threat data to vulnerable organizations amid a swell in COVID-19 related phishing against multiple sectors.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts