United Healthcare Scam - Abnormal Security

United Healthcare Scam

In this attack, the attacker uses spoofing to impersonate United Healthcare and deliver a phishing campaign.

Quick Summary of Attack Target

Platform: Office 365
Mailboxes: more than 50,000
Payload: Malicious Link
Technique: Spoofing / Phishing

What was the attack?

Setup: This attack features an impersonation of United Healthcare in the form of a request for a claim. The attacker uses a method known as spoofing.

Email Attack: The email appears to be originating from notifications@e-notifications.myuhc.com, which is an authorized UnitedHealthGroup Incorporated domain. However, this email is actually spoofed – authentication fails for this message and it is revealed the sending domain is actually ncswi.com. This domain is registered through a common hosting service and is not a CSC Corporate domain that the United Health Group belongs to.

Payload: The email contains a concealed link that redirects the recipient to http://azovmashprom.com.ua/sites/cob/. The landing page mimics the official United Healthcare website, and is a form that requests the recipient to input their Full Name, and Date of Birth. There is a search button provided for the recipient to click on, where they are notified of a refund entitlement in the amount of $683.34. The recipient is then prompted to press start and is led to the final phase of the attack where they can enter all of their personal information including their Name, Social Security number, and driver’s license information.

Result: If the recipient falls victim to this attack, their extremely sensitive and personal identifiable information is compromised. Attackers can use this information to commit multiple forms of fraud, including identity theft.

Why is this attack effective?

Urgency: The attacker uses a sense of urgency to encourage the recipient to fall subject to this attack by stating that their claim may include time sensitive information.

Convincing email and landing page: To the recipient, this email appears to come directly from UnitedHealthcare. The attacker utilizes not only spoofing to deceive the recipient, but also incorporates the UnitedHealthcare logo and address into the email, increasing the appearance of legitimacy.

Trend: This is an attack that we have seen in the past. Although not active for an extended period of time, the attack has begun to resurface with little change. It is important to highlight the impact to customers since the type of information that is being requested is very sensitive and can be extremely damaging if not made aware.

Related content