The UK’s National Health Service (NHS) has suffered a phishing attack that saw 113 NHSmail email accounts compromised and used to send malicious emails to external recipients.
According to NHS Digital, the breach occurred between Saturday May 30, 2020 and Monday 1, June 2020. While 113 email accounts represent a sizeable breach, NHS Digital points out only 0.008% of its email accounts were compromised. The attack appears to be part of a broader phishing campaign targeting many organizations in the United Kingdom and beyond.
The initial findings of the investigation suggest that this was a spray and pray campaign in which the attackers attempted to compromise as many email accounts as possible, rather than a targeted attack on the NHS.
NHS Digital has reported the breach to the National Cyber Security Centre (NCSC) and is assisting in the investigation. So far, no evidence has been found to suggest patient information was compromised.
NCSC said this campaign has been ongoing since at least July 2018 and was the subject of an NCSC warning in October 2019 following a spike in email account breaches. The phishing campaign is indiscriminate, but the emails are personalized to some degree, which makes it more likely that the recipient will open the message and take the requested action.
The emails appear to have been sent from a legitimate email account that the recipient has had some dealings with in the past. The subject line in the message uses information from the address-book entry for the recipient’s name, their email address, or in some cases, the subject line is blank.
The body of the phishing emails contain very little text, typically only having an ellipsis (…) followed by “Notification received”, with a hyperlink with the anchor text “View notification.” Several variations have been identified, all of which are similarly simplistic.
Clicking the link in the email will direct the user to a web page on a domain controlled by the attacker. They are required to enter credentials to view the fake message. NCSC previously announced that several email accounts had been compromised without a user entering credentials on the phishing page. NCSC suggested this could be due to the attackers using password spraying tactics to access email accounts with weak passwords.
In addition to performing a password reset on the affected email accounts, NHS Digital has contacted all users who have similar accounts and has requested they change their password. NHS Digital has also stepped up monitoring of its email accounts in the wake of the attack.