Email security firm INKY discovered a phishing campaign leveraging compromised NHS email accounts to send thousands of malicious emails to unsuspecting people.
The campaign started in October 2021 and accelerated in March 2022 with 1,157 phishing emails sent from NHSmail accounts.
The malicious emails targeted Microsoft credentials via fake document notifications that redirected users to credential harvesting sites.
Hackers compromised 139 NHS email accounts in a phishing campaign
INKY discovered that 139 compromised NHS email accounts participated in the 5-month long phishing campaign.
With the NHS serving over 27,000 organizations via the NHS email system, INKY suggested that the phishing campaign involved only a tiny percentage of the “tens of millions of individual email users.”
However, the magnitude of the phishing campaign remains unknown since INKY only detected phishing emails sent to its customers.
Additionally, the researchers suggested that the phishing campaign could produce new compromised email accounts daily.
According to Comparitech, 764,331 U.K public servants received at least 2.7 billion malicious emails in 2021. Receiving an average of 2,399 phishing emails each, U.K. public service workers clicked on 58,000 malicious emails. The technology website noted that NHS digital was highly targeted, receiving 89,353 malicious emails. In 2021, the UK’s National Cyber Security Centre (NCSC) removed over 1,400 NHS-themed phishing campaigns.
“Perhaps this is a moment to introduce the idea that phish can be like a leak in the boat. It doesn’t matter that the hole is small. It will still sink the boat eventually.”
According to INKY, while credential harvesting could be “small potatoes,” compromised credentials could be recycled and leveraged in more devastating attacks.
INKY reported its finding to the NHS on April 13, and the number of phishing emails reduced to a few messages per day. By April 19, the phishing campaign had most likely ended with INKY receiving practically no messages from hacked NHS email accounts.
The NHS responded by saying that its partners in the NHSmail service had mitigations to prevent such incidents. Additionally, the NHS noted that individual organizations had their email security practices to respond to such issues.
“NHS organizations running their own email systems will have similar processes and protections in place to identify and coordinate their responses, and call upon NHS Digital assistance if required,” the agency said.
INKY suggested that the compromise originated from NHS’s migration from on-premise servers to Microsoft Exchange online services in February 2021.
However, INKY and the NHS confirmed that the compromise affected individual email accounts instead of the entire NHSMail system.
The email security firm also ruled out email spoofing by validating all phishing emails against nhs.net and confirmed that they originated from legitimate NHS email accounts.
Additionally, INKY confirmed that the phishing emails were relayed from two IP addresses used by the NHS.
Fraudsters exploited NHS email accounts in credential harvesting and advance-fee scams
INKY noted that emails sent in the phishing campaign impersonated Microsoft and Adobe using their logos, while some were advance-fee scams.
Similarly, all emails sent in the phishing campaigns displayed an NHS email footer to fake the legitimacy of the phishing messages.
According to INKY, whether the target replied to the advance fee scam or not, they received a response from purported Jeff Bezos’ special secretary on International Affairs, “Shyann Huels.” The name was prominent in previous cryptocurrency scams that cost investors hundreds of thousands of dollars.
This time, the imposter informed the recipients they were the winners of a $2 million windfall to be processed on payment of a small handling fee. Any attempt to accept the prize money risks exposing personally identifiable information and losing the handling fee.
INKY advised users to confirm the sender’s email address and links to ensure they originated from the purported sender.
“Most emails in this campaign claimed to be from Adobe or Microsoft, but nhs[.]net is not an Adobe or Microsoft domain,” Roger Kay, INKY VP of Security Strategy, wrote. “The links in them did not belong to these organizations, either.”