Earlier this week, we wrote about a phishing email scam disguised as an official OCR audit communication from the U.S. Department of Health and Human Services (HHS). The email prompts recipients to click a link regarding possible inclusion in the HIPAA Privacy, Security, and Breach Rules Audit Program, and then directs people to a non-governmental website, marketing a firm’s cybersecurity services. There has since been more information uncovered about this scam. Here is what we now know:
- The phishing email originates from the email address OSOCRAudit@hhs-gov.us.
- Users are directed to the URL http://www.hhs-gov.us.
- The real, official email address for the HIPAA audit program is OSOCRAudit@hhs.gov
A Deeper Dive on HHS Phishing Email ScamNote the subtle difference between the real domain name, hhs.gov, and the fake domain name, hhs-gov.us. These subtle differences are a key component of phishing scams. Also notice the scammer took care to research the email user handle, OSOCRAudit. It's easy to get the real email mixed up with the fake email if you skim the message, which is how most of us read email these days (especially on mobile). A further look at the bogus domain name (hhs-gov.us) reveals:
- It was registered by an "Elias Castillo" via GoDaddy. The person most likely does not exist.
- It was registered on Friday, 18 November 2016. The scam was detected by November 28th, only ten days later.
- GoDaddy has already disabled the bogus site and replaced it with their splash page.
At Paubox, our HIPAA compliant email service also includes robust email security, including state of the art phishing protection. We incurred no known incidents of our customers getting this scam email. We consider it a big red flag if email is sent from domains that have been recently purchased, especially within ten days. Think about it: Receiving email from newly purchased domains like hhs-gov.us is a big tip off that it's likely a scam.
Jeremiah Grossman, Chief of Security Strategy at SentinelOne, adds: “Security controls protecting data breaches don’t have to be expensive or even sophisticated, but they do have to be intelligent and increase visibility. As we can see, something as simple and effective as monitoring the age of the domain names of incoming email can provide telltale signs of a phishing scam.”
Looking ahead to 2017: It's Too Easy to Register Domain Names
We believe that companies that provide domain name services, like GoDaddy, should require their customers to provide more proof of identity when purchasing domains. This is even more important with domains ending in .us. Did you know there are even companies that allow automated, bulk purchasing of domain names? With the amount of damage phishing, malware and ransomware attacks do, we see little reason why purchasing a domain name in 2017 should be allowed to remain so easy to do, with little or no proof of identity, or human interaction required.
SEE RELATED: Phishing Alert, Fake OCR Email Making the Rounds