Carefirst, the health insurance company, reported on May 20 that approximately 1.1 million health care records were compromised in “a sophisticated cyberattack.”

carefirst

What was the method used in the “sophisticated cyberattack”? Bryan Krebs has the details:

Turns out, the same bulk registrant in China that registered the phony Premera and Anthem domains in April 2014 also registered two Carefirst look-alike domains — careflrst

[dot]com (the “i” replaced with an “L”) and caref1rst[dot]com (the “i” replaced with the number “1”).

Additionally, ThreatConnect has unearthed evidence showing the same tactics were used on EmpireB1ue.com (note the “L” replaced with a number “1”), a domain registered April 11, 2014 (the same day as the phony Carefirst domains). EmpireBlue BlueCross BlueShield was one of the organizations impacted by the Anthem breach.

That tactic is spearphishing — the attackers used the look-alike domains to send highly targeted emails that deceived users into compromising their systems.

Deception takes place in the mind of the person who is being attacked. Users will decide which emails to trust. That decision can be guesswork or it can be guided by IT using SP Guard.