The Big Phish: Cyberattacks Against U.S. Healthcare Systems.

Abstract

Phishing, the practice of obtaining computer credentials from users through manipulation or deceit, dates back at least 20 years to America Online (AOL), where users would impersonate AOL staff members and send instant messages to other users convincing them to disclose their passwords or credit card numbers. The term itself was coined by Koceilah Rekouche, a hacker known online by the pseudonym BDa Chronic,^ who created a tool for automating and accelerating this process in 1995. The manual process had sometimes been called fishing (as in fishing for passwords), and Rekouche termed the password-stealing function of his software Bphishing^—the term stuck, and the behavior has subsequently expanded far beyond AOL over the last two decades. The email above was sent to users at our hospital and is one of many like this we receive every month. It encourages recipients to click a link where they are asked to enter their username and password. However, the site is operated not by our IT department, but by hackers seeking to gather passwords. When a user takes the bait and enters a password on the hacker’s site, the hacker gains the ability to access a range of online services by impersonating the user. While most users who receive an email like this one should know better than to click the link, phishing exercise results show otherwise. Users do fall victim to these manipulations, and some provide information, such as passwords, that is useful to hackers. The success of phishing messages is often tied to realism and authority—they may appear to be from an authority such as a hospital IT department and warn users that their accounts will be shut off if they don’t Bupdate^ them by entering their passwords. Phishing websites, which users access after clicking links in emails, are often designed to mimic institutional sites with misappropriated logos and similar designs, and they have addresses that resemble official sites, sometimes with minor misspellings or a lowercase letter L replaced with the number 1. Over time, phishing attacks have become more sophisticated, with higher quality emails and more convincing sites for capturing credentials. Although many phishing attacks are indiscriminate, targeting large numbers of users, a variant called Bspear phishing^ focuses on smaller groups of users or even specific individuals. Spear phishing attacks can be particularly effective because they can be carefully targeted to the sorts of links and deception most likely to trap a particular user—for example, a note apparently from the user’s boss or even a journal that the user regularly submits to.