A warning has been issued to the healthcare and public health (HPH) sector about an ongoing Monkeypox phishing campaign targeting U.S. Healthcare providers that attempts to steal Outlook, Microsoft 365, and other email credentials.
Monkeypox is a highly contagious viral disease caused by a virus from the same family as smallpox. According to the Centers for Disease Control and Prevention (CDC), there have been almost 66,000 cases diagnosed globally in the current outbreak, and more than 25,100 cases in the United States.
Malicious actors often piggyback on major news stories and use these themes to conduct convincing phishing campaigns. Campaigns using monkeypox lures were therefore inevitable, and they are likely to continue and increase in line with the rising numbers of cases. Monkeypox and COVID-19-related phishing campaigns have a high success rate as there is considerable interest in the outbreak and concern about infections.
The Health Sector Cybersecurity Coordination Center (HC3) warns that these emails may be sent from the email account of an HPH-related entity that has previously been compromised, or from a non-HPH-related entity. When a phishing email is sent from a trusted email account it increases the probability of the email being opened.
The emails claim to offer important information about the current monkeypox outbreak in the United States and have the subject line, “Data from (Victim Organization Abbreviation): “Important read about -Monkey Pox– (Victim Organization) (Reference Number).” The message body includes the text, “Please see the attached important read about “Monkey Pox” for your reference. It is a good read; thought I’d share with you. Stay safe.”
The emails have a PDF attachment named, “MPV Update_070722F.pdf” although other names may also be used. The attached file includes a malicious hyperlink. If the user attempts to download the file they will be directed to another website, where the user is told they must enter their valid email credentials in order to view the file. If those credentials are entered, they will be harvested and used by the threat actor to remotely access the user’s email account.
Do not click on an attachment or a link in an email unless it is expected correspondence from a trusted address. If there is ANY doubt, verify the authenticity by contacting the sender in another way, meaning don’t reply to the email, but call or text the person directly with a trusted phone number.
What has been reported to email@example.com this past week?
- [Ext] BestBuy Sales Copy Charged $399.99 – an email, not coming from Best Buy or the Geek Squad, but from a Gmail account, wanting “Dear User” to click on an attachment
- [Ext] Q4 2022 Workplace and Corporate Policy – stating it was coming from “Human Resources”, but using an external email, this one wanting the recipient to click a link to agree to comply with a new policy
- [Ext] Receipt #MN16894924 – a scam that stated a charge has already been invoiced, but if they want to dispute the charge, they have to call a phone number. That’s when they get you! If you call the number, they will ask questions to verify who you are, like your credit card number or your banking information.
- [Ext] Order New ID #MN16907412 – a very similar Subject line received by another UTHSC individual, but with the same intent, to call a toll-free number to dispute a charge
- [Ext] Invoice INV-901926 – same as above, wanting the recipient to click on an attachment to see a fake invoice
- [Ext] WORK OFFER – this was sent to quite a few people with similar last names offering a too-good-to-be-true work opportunity
- ADMINISTRATIVE ASSISTANT REMOTE JOB – from a compromised account from another UT campus, this is another too-good-to-be-true work offer.
- Email Confirmation – another compromised UT account, the recipient was to click a link to verify their email address