back to article Would you open an email from one Dr Brian Fisher? GP app staff did – and they got phished

GP online services app Evergreen Life has been the target of a cyber-attack attempting to access the British firm's corporate email accounts. A malicious phishing email was sent to all the addresses in Evergreen clinical director Dr Brian Fisher's inbox – a rather unfortunate name given the circumstances – in what the company …

  1. Pascal Monett Silver badge
    Thumb Up

    [we] "have taken a lot of time to do things right"

    You bloody well did, and a refreshing difference it is to read about somebody for whom the security of personal information is indeed a priority.

    They detected the threat and neutralized it before a breach occurred, their patient data is on a separate system - bloody hell somebody give those guys a medal !

    To all the morons that got their unsecure, unencrypted databases hacked this year alone : THAT is how you demonstrate that security is your top concern.

    1. tfewster

      Re: [we] "have taken a lot of time to do things right"

      So was Dr Fishers account compromised? That's the first red flag in the article, that the crims had access to his contact list.

      1. LewisRage

        Re: [we] "have taken a lot of time to do things right"

        They mention in the article a domain registration that was similar to the company email domain, they also mention that Dr Fisher did lots of work with the company and was well known.

        I'm assuming they put those two together for a realistic looking from address and spammed the entire company hoping that someone would bite.

      2. MachDiamond Silver badge

        Re: [we] "have taken a lot of time to do things right"

        "So was Dr Fishers account compromised? That's the first red flag in the article, that the crims had access to his contact list."

        MS Outlook is hacked regularly. I get mails from people because I'm on their contact list that I know didn't come from them. Too easy to do. "Features" are a much bigger priority at MS than security.

    2. Tilda Rice

      Re: [we] "have taken a lot of time to do things right"

      If it was top priority, they'd have MFA ;)

    3. Tigra 07

      Re: [we] "have taken a lot of time to do things right"

      TalkTalk could learn a thing or two...

      1. Arthur the cat Silver badge
        Devil

        Re: [we] "have taken a lot of time to do things right"

        TalkTalk could learn a thing or two...

        No, there's absolutely no evidence TalkTalk is capable of learning anything.

        1. jasper pepper

          Re: [we] "have taken a lot of time to do things right"

          TalkTalk is run by people who think it costs too much to learn anything.

    4. Outer mongolian custard monster from outer space (honest)

      Re: [we] "have taken a lot of time to do things right"

      Exactly, top marks for keeping patient data on a separate system instead of shoving everything into some dodgy AWS bucket.

    5. Jimmy2Cows Silver badge

      Re: [we] "have taken a lot of time to do things right"

      Only thing they didn't seem to answer was how Dr. Fisher's inbox became compromised.

      Being a prominent lobbysit, well known in the community etc. doesn't explain that. It just possibly explains why he was targeted. Wondering if he himself was the victim of an earlier phish.

      1. Roland6 Silver badge

        Re: [we] "have taken a lot of time to do things right"

        >Only thing they didn't seem to answer was how Dr. Fisher's inbox became compromised.

        Would be interesting, but suspect he either accidentially opened a malicious Doc/XLS attachment or was using Outlook and was using the preview pane...

        1. Nick Ryan

          Re: [we] "have taken a lot of time to do things right"

          Most likely he fell for a phishing email himself. Easy to do and the skills in use to increase the chance of people falling for phishing attacks are quite interesting (script kiddies excepted of course)

  2. Blockchain commentard

    If they use Office 365, Microsoft's email system should have highlighted/just blocked it.

    1. IGotOut Silver badge

      Unless using a 0 day.

      Oh I forgot...cloud fixes everthing

    2. Anonymous Coward
      Anonymous Coward

      Check their MX records... They are using 0365...

      Note that they don't have a SPF / DMARC record in place which should be a minimum for anybody doing B2C communications these days (however this appears to have been a cousin domain attack with the similarly registered domain so that control my not have been appropriate in this specific case)

  3. Jimmy2Cows Silver badge
    Thumb Up

    Dr. Fisher

    Good to see nomiative determinism in action :)

    1. Jimmy2Cows Silver badge
      Facepalm

      Re: Dr. Fisher

      Damn it. Nominative

      Proof reading fail. Do not pass go. Do not collect £200.

      1. Fatman
        Pint

        Re: Proof reading fail

        Don't kick yourself too hard.

        Shit happens. We all suffer from fat finger syndrome from time to time.

        Have one on me. -------------------------------------------------------------------->

  4. Danny 2

    Dr Phisher

    Sorry, but there is no credibility in fishers any more. Anyone called Fisher should be made to change their name by deed poll, or held in quarantine. People who hunt fish should be renamed anglers or trawler men. Certain birds should be renamed, for example the King Angler. Fishmongers should be renamed gill-bearing aquatic craniate animals that lack limbs with digits mongers.

    The lead singer of Marrillion should be renamed Derek William Dick. Dicks and willies remain safe.

    1. FuzzyWuzzys
      Headmaster

      Re: Dr Phisher

      Unfortunately "Fish" or Derek W. Dick to use his real name ( so he doesn't need to change his name ) is no longer the singer of Marillion and hasn't been since 1988. Fish, sorry Derek, was only with them for 10 years just a quarter of the time the band has been in existance and Derek is a now a respected solo artist. Steve Hogarth has been the singer with Marillion since 1989 and a fine job he's done with them for the last 30 years.

      1. Stephen Wilkinson

        Re: Dr Phisher

        Hogarth is a good singer and I agree with what you've said but he doesn't do it for me sadly.

        In the same way I mostly listen to Gabriel-era Genesis, I very rarely listen to post-Fish Marillion - okay, I bought Season's End and realised that it just didn't cut it for me - the versions of the songs off it that Fish sang were so much better, I can't remember whether they were on a Vigil in the Wilderness or the recent box set anniversary edition of either Misplaced Childhood or Clutching at Straws.

        I still hope the rumours of the unreleased album that was too similar to Misplaced Childhood turns out to be true and it finally surfaces!

    2. Anonymous Coward
      Anonymous Coward

      Re: Dr Phisher

      I agree. "Fisher" has a ban association these days.

      I feel lucky I don't have that problem.

      Sincerely, Rick roll-troll.

      1. Nick Ryan

        Re: Dr Phisher

        I once worked with a guy called Mr Terence Tester. Not a good name to come across in a database...

        1. Jamie Jones Silver badge

          Re: Dr Phisher

          I failed my first driving test. The examiner was called "Mr. Pass"

          The next day, my dad got a letter from the tax man, named "Mr. Fair"

          True story!

  5. Anonymous Coward
    Anonymous Coward

    They should have used Apple that would have stopped this.

    1. Yet Another Anonymous coward Silver badge

      Unfortunately they seem to be repelled from Apples

    2. Andy Non Silver badge

      An apple a day keeps a Doctor Fisher away?

      1. Anonymous Coward
        Anonymous Coward

        I'm glad someone got it.

  6. Danny 2

    Do you use one of these popular passwords?

    Okay, while I seriously question this BBC article it is indicative of the problems IT staff face every day. Although you have to admit that 123456789 is a lot more secure than 123456.

    According to the UK's National Cyber Security Centre - many of us are using the same passwords to protect our valuable information.

    Do you use any of the following passwords? If so, you're definitely not the only one.

    1) 123456 - 23.2 million (total number of users)

    2) 123456789 - 7.7 million

    1. Jimmy2Cows Silver badge

      Re: Do you use one of these popular passwords?

      That's shockingly high. Sadly not entirely unexpected though, I guess.

      I know someone whose password involves running their finger along a keyboard row from left to right. He probably can't recall the actual characters. Dude struggles with passwords though, seems odd as he's otherwise a bright guy but I guess everyone has their nemesis.

      A few times I've suggested he at least choose a pattern he can remember easily, and a memorable yet non-obvious modification scheme to apply to different sites, but he didn't go for it. An uncomfortable truth is some people just can't comprehend password security. It's simply beyond them.

      1. Yet Another Anonymous coward Silver badge

        Re: Do you use one of these popular passwords?

        >some people just can't comprehend password security.

        Many can and don't bother having a 64 character password containing upper+lower case elvish runes for when a site makes you create an account just to download a bios update

        I suspect there are a lot of "fsck-off"s and "password" on a bunch of sites

        1. mrchinchin25

          Re: Do you use one of these popular passwords?

          Yeah I'm not a big fan of the smug way many security teams lord it up over the peons and tell jokes about weak passwords. Yeah we get it. Unfortunately I can't remember 2000 different password combinations, so without using a password manager (usually blocked in places I work) or chrome (frowned upon) or writing them down (death to all who do this apparently) I have few options (usually this involves writing down part of it and using a code to remind me of the rest)

          I have a lot of passwords in lastpass with a swear word in it because that site has been hacked.

          The sooner we go towards using retina scan / fingerprint / decent sso solutions / sperm samples to login, the better in my opinion.

          I do not want to have to explain to another aged parent why they have different accounts for different sites - nevermind passwords.

          1. c1ue

            Re: Do you use one of these popular passwords?

            biometrics is not a great idea. What do you do once that data is stolen? Going to change your DNA?

            1. Nick Ryan

              Re: Do you use one of these popular passwords?

              Biometrics are an acceptable replacement for a non-secret component in authentication. They are in no way a replacement for a secret component, i.e. a password. However the marketing drones at certain international cloud/subscription software peddling organisations and Hollywood would have you believe otherwise.

          2. NightFox

            Re: Do you use one of these popular passwords?

            "The sooner we go towards using retina scan / fingerprint / decent sso solutions / sperm samples to login, the better in my opinion.

            I do not want to have to explain to another aged parent why they have different accounts for different sites - nevermind passwords."

            I'd be happier doing that than having to explain to them how to provide a sperm sample.

            1. Anonymous Coward
              Anonymous Coward

              Re: Do you use one of these popular passwords?

              tesco1234... ocado1234... hmrc1234... yahoo1234...elreg1234...

    2. Mark 85

      Re: Do you use one of these popular passwords?

      Also, quite a few use "admin" as login and password still. <sigh>

      1. Anonymous Coward
        Anonymous Coward

        Re: Do you use one of these popular passwords?

        Especially those called Calvin.

    3. Michael B.

      Re: Do you use one of these popular passwords?

      The NCSC actually publish the whole of their top 990k dodgy passwords which should probably be in every web app's banned password list.

  7. disgruntled yank Silver badge

    emailed all the contacts?

    Who do they think they are, LinkedIn?

  8. sitta_europea Silver badge

    As others have pointed out it seems clear that Dr. Fisher's account was compromised.

    I don't know where the MITM thing came from but at first glance it doesn't look to me like anything so technical as that.

    1. cracked and broken

      "As others have pointed out it seems clear that Dr. Fisher's account was compromised."

      It's certainly clear that someone had Dr. Fisher's contacts list. I wonder if Dr. Fisher had been sending public emails with all the addresses shown as To: or CC: instead of BCC: Amazing how often people still do this.

      From there it's easy to spoof an email from him.

    2. TrumpSlurp the Troll

      MITM

      I assume the classic MITM is using a password in an insecure environment such as coffee shop, hotel or conference centre.

      Although I would expect passwords to be encrypted these days. Crackable?

      1. Nick Ryan

        Re: MITM

        If the password hash is intercepted and the password is weak (likely, the standard Windows password complexity rules almost encourage weak passwords) then it will be crackable within a short period of time. From 2ms up to an hour or two depending on complexity and if GPU accelleration is available.

      2. cracked and broken

        Re: MITM

        Considering how much credit was given to Evergreen for their professionalism (see the first post in this topic) in using well designed and secure systems it seems unlikely that they would be accessing their corporate data from a coffee shop without a VPN and 2FA.

        I think the MITM part of the story needs a better explanation.

  9. steviebuk Silver badge

    Hmmm

    "We have extensive experience in writing large software systems for hospitals – over 60 years between us. We understand how important your data is, we are used to working in very secure environments, and have taken a lot of time to do things right."

    But sounds like they didn't implement 2FA in 365 suggesting the reason the Dr's account was compromised. Also urging people to change their password ASAP is all well and good, but if 2FA had been on, wouldn't of been as big an issue. I'm confused why it took hours to block the website. When I find ones in malware, a simple entry in the Sonicwall will then block it instantly. Even if they are large and have 2 external connections, surely blocking on those two main connections shouldn't take hours. Unless the person who wrote the PR just noticed Chrome/Firefox had started to automatically block it, and takes them a long time to decide an address is a phishing site and then block it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Hmmm

      "surely blocking on those two main connections shouldn't take hours"

      If they've outsourced their networking, like our company has, that "simple" change now involves opening a ticket via a helpdesk in another country then waiting for it to be picked up by the vendor (which is likely to have at least a 1hr SLA for a critical ticket), go through a conference call that should have been an email, get them to write a change request, get it approved then implemented. Those things could easily take 2 hours for anything classified as an emergency. Non-emergency, you could well be talking days.

      Even if their networking is in-house, since regulated confidential data is involved there are probably compliance procedures that have to be followed for any change to make sure it doesn't compromise anything else.

  10. Mr Dogshit
    IT Angle

    Not sure why this is news. Dog bites man.

    1. Anonymous Coward
      Anonymous Coward

      If there was a news story for every phishing attempt I get a day, then the news would be nothing but phishing stories. On the up-side, maybe it would be taken more seriously by everyone if that happened.

  11. juice

    Phishing is getting increasingly cunning...

    tl;dr: identity theft is incredibly easy these days.

    I had what looked to be a message from an old work colleague (old in every sense of the word - I last worked with him about a decade ago, and I think he's retired now). We'll call him Dave, to keep things simple.

    Oddly, it came up as an "new contact" message, but the name was correct, as was the profile photo. So I raised an eyebrow, clicked on it, and was greeted with a message which looked very out of character. E.g. "I'm blessed and highly favoured". Bonus points for the UK spelling, but it's still not something Dave would say.

    And then they tried to tell me the "good news" about some HSS thing. Which a quick google revealed to be some american grant thing which is highly susceptible to scams. And a further check indicated that it wasn't actually Dave's account. In fact, given the length of time since he last posted, it's debatable if he's even using Facebook any more!

    What I suspect has happened is that my work colleague's has left his profile and friends list as public. And so, someone's grabbed his profile photo, set up a fake account with the same name, and has been working down his friend's list.

    So, I set up a group conversation between Dave and "Dave" and said: Dave, meet Dave. Dave, I'm afraid Dave has cloned your account and is attempting to scam people. Might be worth checking your privacy settings!

    And then I reported "Dave" for FB (for all the good it's likely to do) and blocked him for good measure...

  12. MachDiamond Silver badge

    Easy to see how

    I can see how it could be easy to phish medical staff. They are getting mail everyday from people they may not know regarding patient information. Many people aren't as suspicious as I am so they'd click the link or open the attachment for "Mr. Smith's lab report". Pick a common local surname and it's likely the person being phished has a patient with that name or there is a patient with that name on the floor of the hospital.

    BYO devices can be a problem as they are a vector into company systems. A hospital could issue devices to staff and make other devices available for temp use by visiting physicians with no personal use allowed. The loaned devices act as terminals only. You would enter your L/P and the session would expire at the turn of the next shift plus an hour or two if you don't log out yourself.

    It would be easy enough to prohibit links going to individuals and to have lab reports and doctor notes sent to a central server with a patient's reference number in specific formats only. The person needing the information would be messaged that data has arrived and they would log into the system and access the record.

    Any large organization that isn't spending the time and money to secure against ransomware attacks deserves to get mauled. It's not like this isn't in the news every week.

    1. Anonymous Coward
      Anonymous Coward

      Re: Easy to see how

      You'll find most test results etc are held within clinical systems and not sent between clinicians regularly. Typically they'll say "can you look at X result for patient Y it's on clinical system Z". Rather than sharing it, although also normally those emails would be sent NHSMail to NHSMail rather than from an external email system and NHSMail blocks around 800 million junk e-mails a month so it's spam filter is actually fairly good.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like