In this attack, the attacker uses spoofing to impersonate United Healthcare and deliver a phishing campaign.
Setup: This attack features an impersonation of United Healthcare in the form of a request for a claim. The attacker uses a method known as spoofing.
Email Attack: The email appears to be originating from email@example.com, which is an authorized UnitedHealthGroup Incorporated domain. However, this email is actually spoofed – authentication fails for this message and it is revealed the sending domain is actually ncswi.com. This domain is registered through a common hosting service and is not a CSC Corporate domain that the United Health Group belongs to.
Payload: The email contains a concealed link that redirects the recipient to http://azovmashprom.com.ua/sites/cob/. The landing page mimics the official United Healthcare website, and is a form that requests the recipient to input their Full Name, and Date of Birth. There is a search button provided for the recipient to click on, where they are notified of a refund entitlement in the amount of $683.34. The recipient is then prompted to press start and is led to the final phase of the attack where they can enter all of their personal information including their Name, Social Security number, and driver’s license information.
Result: If the recipient falls victim to this attack, their extremely sensitive and personal identifiable information is compromised. Attackers can use this information to commit multiple forms of fraud, including identity theft.
Urgency: The attacker uses a sense of urgency to encourage the recipient to fall subject to this attack by stating that their claim may include time sensitive information.
Convincing email and landing page: To the recipient, this email appears to come directly from UnitedHealthcare. The attacker utilizes not only spoofing to deceive the recipient, but also incorporates the UnitedHealthcare logo and address into the email, increasing the appearance of legitimacy.
Trend: This is an attack that we have seen in the past. Although not active for an extended period of time, the attack has begun to resurface with little change. It is important to highlight the impact to customers since the type of information that is being requested is very sensitive and can be extremely damaging if not made aware.
Abnormal is the email security company that stands for trust.
© 2020 Abnormal Security Corporation.
All rights reserved.