NHS ESR Spear Phishing Campaign

NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.

Threat ID:: CC-3160
Category:
Threat Severity:: Medium
Threat Vector:
Published:: 18 July 2019 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

NHS Digital's Cyber Security Operations Centre has been closely monitoring a spear phishing campaign targeting NHS organisations in order to steal Electronic Staff Record (ESR) credentials.

Threat details

Users have received emails that claim to be from their Human Resources (HR) service, but are sent from accounts outside the NHS. These emails typically say that the user's salary has been increased and invite them to click a link to access related documents. When the user clicks on the link they are directed to a fake NHS ESR login page, which appears exactly the same as the actual login page except that it does not offer smartcard login.

The malicious emails are customised for each organisation they are sent to. They typically contain the organisation's logo and the phishing links include their website domain within the URL.

Remediation steps

Type	Step
	Organisations are advised to block the following domain and email addresses on their local infrastructure: linkourschool[.]com karnishpuoma1@gmail[.]com belton@alwaysmoney[.]com lisa@belvito[.]com Logs should be consulted to determine whether any users have accessed linkourschool[.]com. Affected account passwords should be reset and affected users advised to reset their passwords on ESR. Users should be advised to forward suspicious or spam emails as an attachment to [email protected] - step-by-step instructions can be found here. A robust program of education and awareness training should also be delivered to ensure that users don't open attachments or follow links within unsolicited emails.

Type

Step

Organisations are advised to block the following domain and email addresses on their local infrastructure:

linkourschool[.]com
karnishpuoma1@gmail[.]com
belton@alwaysmoney[.]com
lisa@belvito[.]com

Logs should be consulted to determine whether any users have accessed linkourschool[.]com. Affected account passwords should be reset and affected users advised to reset their passwords on ESR.

Users should be advised to forward suspicious or spam emails as an attachment to [email protected] - step-by-step instructions can be found here. A robust program of education and awareness training should also be delivered to ensure that users don't open attachments or follow links within unsolicited emails.

Last edited: 14 February 2020 2:49 pm