An alert from the Department of Health and Human Services' Cybersecurity Coordination Center is warning healthcare providers that a phishing campaign is using a malicious Evernote website is targeting healthcare employees. ("Evernote Meetup Paris" by Heisenberg Media is licensed under CC BY 2.0.)

Healthcare provider organizations are being targeted with a phishing campaign that uses a secure message theme in an attempt to harvest credentials, according to a recent notice from the Department of Health and Human Services Cybersecurity Coordination Center alert.

The malicious emails lure victims to a malicious Evernote website, which mimics a legitimate webpage. The ongoing malspam campaign uses a subject line that includes the targeted organization’s name, the date, and “business review.”

The email contains a malicious link that, when clicked, sends the user to a page tailored to their organization. The webpage includes an HTML download, which is actually a malicious phishing Trojan containing a JavaScript that acts like a legitimate application to trick the user into inadvertently executing the payload onto the device. 

“Once installed, a Trojan can perform the action it was designed for — damaging, disrupting, stealing, or inflicting harm on your data or network,” according to the alert. For the Evernote campaign, the Adobe- and Microsoft-themed page then attempts to harvest Outlook, IONOS, AOL, or other credentials.”

HC3 warned the campaign may have used business email compromises (BECs) of entities from the healthcare sector and other industries.

Entities are being urged to update all operating systems and software applications to defend against vulnerability exploits, while bolstering password management policies to reflect best practice standards.

Healthcare is highly vulnerable to phishing attacks due to its high employee turnover and influx of new employees who may not have the necessary cybersecurity training, according to a 2019 Journal of the American Medical Association report.

Fortunately, the same JAMA study confirmed workforce training and education effectively reduce healthcare’s cyber risk. Specifically, phishing simulation was proven to generate awareness and strengthen the effectiveness of phishing education when those simulated emails appear as legitimate phishing emails.

When an employee opens the simulation, it provides “a real-time opportunity to provide short phishing education to the employee,” according to the report. “Increasing campaigns were associated with decreased odds of clicking on a phishing email, suggesting a potential benefit of phishing simulation and awareness.

“Employee awareness and training represent an important component of protection against phishing attacks,” the researchers added. “It only takes one successful phishing email, sent to one user, to shut down a critical system, potentially disrupting care across an entire organization.”

The HC3 alert on the Evernote campaign contains post request domains, the names of the malicious file attachments, MD5 hashes included in the attachments, and malicious URLs. Entities should review the alert to effectively defend against the ongoing attacks.