I Discovered a Security Problem at Work
I am leaving some details vague here on purpose. This happened yesterday, August 10, 2020. I was at work when I responded to a request from an employee. For context I work in IT for a organization in healthcare and we test patients for Covid-19 and then they can check their results online. At first glance I thought that the request was a marketing department problem but called the employee anyway. They wanted to report that the flyer being handed out about Covid-19 and test results had a website listed that was not loading. The employee said that a patient had called to report the problem and she had tried it as well without success. I tried navigating to the website using Google Chrome and I got the “This site can’t be reached” error.
Then It occurred to me that this was not a domain name I have ever seen before. There was nothing in the domain name that could be a typo. It was our business name and the name of the product we use to give patients access to their data. For example our normal domain would be healthcarefacilities[.]org and this domain looked like healthcarelogin[.]org. It looked like a completely normal and legitimate domain name. I got curious. I looked up the domain with a whois site. It wasn’t registered. I thought of what this could mean but I wanted to check one more thing. I went to see if the website was available for purchase and sure enough for twelve dollars a year I could own this site. And if I could buy it, anyone could buy it and do whatever they wanted with it. Over two-hundred patients get tested here every day.
So what big issue did I see with this? My mind raced through many possibilities. Someone could just buy it and do nothing with it. It would make the information in the flyer permanently invalid. A threat actor could put up a site with any number of inappropriate topics. I could make a list but I will just let you use your imagination. Someone could just make a website with false covid-19 information. But then one possibility occurred to me that was much more frightening; a breach of protected health information (or PHI for short).
It occurred to me that it is really easy to clone webpages using a tool called Social Engineering Toolkit (or SET) and then set it up on the fake web page and redirect it to the real webpage. If a threat actor was able to trick an unsuspecting victim into going to the fake web page and typing in their credentials, the credentials can be stored and the website would just forward to the real webpage. The victim would just think there was an error on the site and try logging in again.
However we were already handing out an available link. A threat actor wouldn’t even have to do the social engineering part as we would be doing it for him. I’m not a HIPAA expert but I have a feeling this would be violating it in some way. If you don’t know what HIPAA is, it is a federal law passed in 1996 to protect PHI. You can read about it here.
I started making phone calls. First I tried calling the marketing department to see if somehow this was a mistake of some sort that could be fixed by them. No one in that department was answering. It was around lunch time. I didn’t want to wait for them to come back so I called my boss. No answer. I called my boss’ boss. Again no answer. I decided to draft an email about the situation that I could send to everyone that might need to be involved and then reach out to my boss again. When I was almost done typing up the email I reached out to my boss one more time and he was available. I explained the situation and he agreed with me sending out the email.
Less than twenty minutes later I get a response. The domain was purchased by our organization. It was set to redirect to the legitimate login page. The issue was resolved. It is unclear how the domain got used in the first place but everyone agreed that it would be best just to keep the domain from now.