Introduction

Many security firms have reported a growing number of phishing attacks this year. PhishLabs report an increase of 41% in the second quarter alone, and eSentire affirms that biotechnology and technology companies accounted for the most important volume of attacks per “active internet device,” which shows the growing importance of this industry in the eyes of cyber-criminals.

Why Phish Biotechnology Companies?

The main motivation of the hackers to phish biotechnology companies is money, whether it is the direct target or not. Indeed, hackers can send phishing emails to biotechnology company employees to collect financial information directly or to collect other sensitive data the company retains in order to trade it in the black market. Another possible objective, although indirect, makes the sector specifically at risk because of the nature of the biotechnology companies’ activities. Several companies conduct clinical trials and other research studies leading them to deal with patient information, which should always be considered highly sensitive. The most sensitive feature that these companies have at their disposal is DNA data, which, if stolen, gives plenty of possible realistic scenarios in today’s world.

These are just a few simple examples of what these scenarios might be:

  • Bioengineering is becoming more and more easy, and today cheap and fast solutions exist to acquire advanced knowledge and become a bioengineer. This makes replicating copies of DNA using illegal ways possible, as long as one is equipped (i.e. Organized criminal groups). And in its turn, this possibility may lead to make pirate copies of patented biotechnology products such as specific medicines and sell them much cheaper than the original product, using illegal ways. This is particularly dangerous for human health, as these products escape all the quality controls and the regulatory procedures.
  • Furthermore, at the research and development stage, and when the product is not even patented, the hacker gets access to a precious economically scalable product information, which he has the possibility to use or sell at very high prices, especially given the fact that in 2010, the intellectual property right market of drug formulation was estimated to $75 billion by the US National Association of Boards of Pharmacy.
  • Gathering biotech data can give the possibility to hold information about what might be potentially used as a bioweapon (i.e. The genetic code of an infectious bacteria or a virus). This may lead to massive human losses or just serve as a mean to require ransoms.
  • Genetic information itself can be sold to criminal organizations that may use it in unethical and criminal ways, which include, for instance, identity theft.

In the end, phishing might have disastrous consequences for the biotechnology company. This ranges from losing business opportunities to losing the trust of clients and investors, and paying HIPAA fines if the company is dealing with protected health information (PHI).

How Are Biotechnology Companies Phished?

According to the PhishMe 2017 Phishing Defense Guide, the average individual response rate to phishing campaigns targeting the pharma and biotechnology sector is estimated at 30%, which is a relatively high rate. This is attributed to different scenarios and phishing emails topics, of which the ones leading to the highest response rate are:

  • “Sent From Phone” (41.6% response rate);
  • “Forgot Attach.” (39.3%);
  • “Employee Statisf.” (32.3%);
  • “File From Scanner” (30.4%);
  • “Please Review Co.” (28.6);

Other low response rate scenarios reported in the guide include also “Order Confirm” and “Package Delivery” for instance. This shows that it is easy to lure the vigilance of the employees by simply sending generic phishing emails.

PhishSim’s realistic phishing email templates can trip up all but your most tech-savvy employees, giving them a safe method to learn more about the dangers of phishing.

One example of a large phishing campaign, and where half of the targets were biotech companies, is the “Fin4” attack of 2013. The campaign was led by native English-speaking hackers who sent highly personalized phishing emails to top-management, legal counsel, regulatory officers, compliance officers, and scientists involved with more than 100 organizations. The hackers’ goal was to access confidential information on clinical trials, regulatory affairs as well as safety issues to influence the biotech company’s price in the stock market and obviously make money out of it. Some of the emails even contained internal confidential documents that the hackers have stolen from these companies before. The method used by hackers to steal data was not to install a malware in the device’s victim, but rather to steal email credentials in order to be able to login to the victims’ emails. To do so, the link attached to the phishing email redirected to lured individual to a fake platform asking to login with the person’s email information to get access to the attachment.

Another way of getting the email credentials was to embed in the email a small app, which, once in the computer, launches a dialog box stating that the session has expired and that login again is needed. This way, the hackers could not only enter the inbox of their victims and have access to sensitive and confidential information, but also control attempts to stop their attacks. For instance, they configured the inbox to delete any incoming email with the words “hack” and “phish”. They could lure their victims because they had an advanced knowledge of investment banking and they customized their emails accordingly. For example, they pretended in some cases to be interested investors, and in one case targeting a top manager, they simulated being one of the long-term clients this manager was responsible for, and they pretended that they found in an investment forum some negative feedback from the company’s employee about its leadership. Yet in another email, they acted like a consultant for a company in the context of a possible acquisition. In some other emails, hackers used some techniques to alarm and scare the reader, and in which they raised alerts about disclosure of some of the traded company’s secrets about pending transactions, with the aim to launch a panic wave among investors and shareholders of such companies. They used Tor browser, which gives them fewer chances to be tracked.

Three Strategies for Preventing Biotech Phishing

Educate

Your employees, as the first victims of phishing attacks, are the key to effective prevention. Therefore, raising awareness among them through a phishing educational program is the minimum you can do. InfoSec Institute has a comprehensive and interactive program to help you do so. The SecurityIQ service comprises an educational tool called AwareEd, which makes your employees learn fast while having fun. This tool allows you as a trainer to design a highly customized content depending, for instance, on your needs and the category of employees you want to educate. In the end, you are sure that your employees are actually learning because you can follow their progress online and have statistics on that.

Interactive modules in AwareEd cover password security, malware, social engineering, and other vital concepts.

Test

Theory is good. Practice is better. Therefore, PhishSim, another tool of SecurityIQ, gives the opportunity to your employees to practice. You only have to draw some “fake” phishing emails in our platform and send them to any employee you want to test. If an employee opens the email and clicks on the compromised link or attachment, he or she ends-up in a page where he or she can visualize a video about phishing and how to avoid it. This completes well the educational component provided through AwareEd. That said, and for the best possible effectiveness, we recommend using both AwareEd and PhishSim in tandem, and not to reveal that you are testing your employees via PhishSim to ensure that they aren’t specifically looking out for a phishing attack only in the short term. Training with PhishSim is all about long-term awareness.

Both AwareEd and PhishSim build on teaching individuals to be doubtful on emails even if they come from a supposedly verified source, to be cautious on whether or not to open links and attachments, and finally to not enter their personal information in links opened from emails, which are the three pillars of a good awareness.

Get reports and report to local authorities

Besides raising awareness in your company, it is crucial to have an operational reporting system in the case where phishing is suspected. This gives you the possibility to react fast when your company or your personnel is actually a victim of phishing, limit the bad consequences of such attacks and ideally prevent sensitive records from being stolen. You have also the possibility to report to competent authorities in your area, as phishing might be considered a crime, and report to the internet domain registrar to block the criminal website to which the fake email leads to.

Security Awareness

Conclusion

Biotechnology companies are an attractive target for cybercriminals who use phishing because they may deal with PHI, DNA data and other sensitive information and use them for pecuniary and/or criminal purpose. Educating employees is the key security feature for such companies to protect their businesses.

References

https://www.out-law.com/en/articles/2017/september/number-of-phishing-attacks-on-businesses-rises/

https://www.benzinga.com/pressreleases/17/09/p10079822/phishing-attacks-increase-41-percent-in-the-second-quarter-of-2017

http://www.wired.co.uk/article/the-bio-crime-prophecy

https://www.csoonline.com/article/3084655/security/cyber-threats-and-pharmaceuticals.html

http://www.dataev.com/it-experts-blog/how-hackers-use-email-to-access-biotech-information

https://www.ciosummits.com/PhishMe-Phishing-Defense-Guide_2017.pdf

https://www.nytimes.com/2014/12/02/technology/hackers-target-biotech-companies.html

https://duo.com/blog/targeting-the-stock-market-biotech-industry-info-phished

Be Safe

Section Guide

Sara
A.

View more articles from Sara

You'll leave InfoSec Institute's Computer Forensics course with 3 industry certifications!

Section Guide

Sara
A.

View more articles from Sara
[Free Guide]
[Free Guide]