Threat actors are conducting a targeted phishing campaign impersonating the pharmaceutical company Pfizer, with the objective of stealing business and financial information from victims. Many of these fraud campaigns are jumping upon the COVID-19 vaccine that the drug firm produces.
The actors behind this campaign appear diligent in their phishing operations, unlike many of the more dubious attempts to defraud by email. The hackers, for example, combine “clean” PDF attachments with newly registered domains that appear as official Pfizer online spaces.
The intention here is for users to fill out the form, quoting their bank details and to email this back to the fraudsters. With the PDF not containing any malware it bypasses most of the types of email antivirus software.
Looking at this malicious activity for Digital Journal is David Pickett, Senior Cybersecurity Analyst at Zix | AppRiver.
Pickett says that the timing of the fraud is aimed at a point when people are distracted and preoccupied: “At a time when hospitals and patients are strained due to increasing COVID numbers, threat actors will continue to attack organizations as long as the financial gain for personally identifiable information and medical records exists.”
Looking at the specific forms of attack, Pickett draws out: “Email attackers are increasingly using customized spear phishing campaigns to target users, as we observed recent phishing campaigns where attackers masked their malicious intentions as urgent Pfizer product supply orders.”
There has been some success, but challenges remain says Pickett: “While we blocked this attack targeting customers, this is a great reminder for companies to examine their email security and backup solutions.”
Pickett adds that: “When available, organizations should implement multi-factor authentication which helps provide an extra authentication layer for verifying user logins. Organizations should use end-to-end email encryption for any message containing confidential or personally identifiable information and ensure their email security solution is capable of dynamically analyzing email attachments and URLs.”
Pickett further recommends: “If there is any suspicion about a message or transaction, it never hurts to call the sender. Most will be glad of your security protocols in place to help prevent fraud.” There are more best practices to consider, which Pickett concludes with: “Companies should also implement and periodically conduct security awareness training that encourages employees to flag suspicious messages and attachments received via email. With ransomware attacks at all-time highs, a quality backup solution to ensure data integrity and availability are a must to ensure continuity of business for a worst-case scenario.”