Spoofed Healthcare Email Used for Identity Theft

November 2, 2020

Healthcare continues to be a preferred method for cyber attacks, and this attack features an impersonation of UnitedHealthcare in the form of a request for a claim.

Summary of Attack Target

  • Platform: Office 365
  • Payload: Malicious Link
  • Technique: Spoofing / Phishing

Overview of United Healthcare Phishing Scam

The email appears to originate from notifications@e-notifications.myuhc.com, which is an authorized UnitedHealthGroup Incorporated domain. However, this email is actually spoofed—authentication fails for this message and it is revealed the sending domain is actually ncswi.com. This domain is registered through a common hosting service and is not a CSC Corporate domain that the United Health Group belongs to.

The email states that the recipient is eligible for a health card overpayment refund and displays a "See My Claims" button in order to view the money the recipient could receive.

The button contains a concealed link that redirects the recipient to "http://azovmashprom.com.ua/sit...". The landing page mimics the official United Healthcare website, and is a form that requests the recipient to input their Full Name, and Date of Birth.


There is a search button provided for the recipient to click on, where they are notified of a refund entitlement in the amount of $683.34.


The recipient is then prompted to press start and is led to the final phase of the attack where they can enter all of their personal information including their Name, Social Security Number, and Driver's License Number.

If the recipient falls victim to this attack, their extremely sensitive and personally identifiable information is compromised. Attackers can use this information to commit multiple forms of fraud, including identity theft.

Why the UnitedHealthGroup Scam is Effective

The attacker uses a sense of urgency to encourage the recipient to check their status by stating that their claim may include time-sensitive information. They take this a step further by having multiple landing pages and promising a return of $683.34 if they submit their information.

To the recipient, this email appears to come directly from UnitedHealthcare. The attacker utilizes not only spoofing to deceive the recipient, but also incorporates the UnitedHealthcare logo and address into the email, increasing the appearance of legitimacy.

Abnormal is able to catch this attack due to the suspicious link, the unusual sender, and the fact that the email includes language that indicates that it may be attempting to steal financial information. In addition, this is an attack that we have seen in the past. Although it hasn't been active recently, the attack has now begun to resurface with little change.

To see how the Abnormal platform can protect you from spoofed emails, request a demo today.

Image

Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More
B Podcast Engineering8
In episode 8 of Abnormal Engineering Stories, Kevin interviews Saminda Wijegunawardena, an engineering leader who is no stranger to fast-growing enterprise startups.
Read More
B 04 04 22 Webinar Recap Krebs
High-impact emails are on the rise and secure email gateways (SEGs) don’t have the functionality to mitigate them. Learn how your SEG is letting you down.
Read More
B 04 19 22 Facebook Phishing
While phishing emails have long been a popular way to steal Facebook login credentials, we’ve recently seen an increase in more sophisticated phishing attacks.
Read More