Friday, November 1, 2013

Fake Affordable Care Act Websites

I saw this story about fake Affordable Care Act (ACA) sites that came through my news feed today.  I love this story. I actually tried to find a few fake sites using Google searches, but I didn't find sites immediately (and I'm lazy, so I just started writing this instead).

I've been using fake insurance/health benefits sites in my social engineering attacks for years.  It's one of my "go to" techniques.  But of course, here the attackers are taking advantage of the fact that everyone has seen information about the ACA in the news.  I'll be starting a new SE engagement this month and you can bet I'll be mentioning the ACA in my emails and phone calls (I'm opportunistic like that...).

But if you missed the story before (or thought it was hogwash), pay heed.  Real attackers (you know, guys without a CFAA letter) are using this.  If you run a security program, now might be the time to let your employees know to be on the lookout for this specific attack.  You might think that a gentle reminder about generic security and social engineering threats would be more effective than honing in on a specific attack.  I'm here to tell you that's not the case.  It's been my experience that warning about specific attack scenarios has a much higher (short term) rate of return.

Do your users a favor, tell them to be suspicious if contacted about ACA related issues, particularly if not being directed to a .gov website.  Tell users not to rely on seeing their company name in a URL.  I regularly create subdomains in my SE sites, so users will click on http://companyname.evilsite.com.  I find the warnings telling users to check for "secure" sites to be relatively hilarious.  It takes less than nothing to get an SSL cert for your site.  Any attacker worth their salt has purchased a certificate, so this isn't a reliable check either.  Bottom line: your users need to know what's currently being used in attacks.  Yes, they should be always vigilant.  But I view these warnings like knowing where the local speed traps are.  You should always drive the speed limit, but knowing where the speed traps are will help you avoid getting a ticket even if you do live on the edge.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.