The relaxing Sunday I was looking forward to did not quite work out as planned. Dutch researcher and all-around good-guy Jelle Ursem (aka @SchizoDuckie) got in touch with me about what appeared to him to be a sketchy site allegedly by a well-known prescription management entity.
After a few minutes of checking, there was no doubt that yes, this was part of an attempt to phish patient information by luring physicians to what looked like a convenient prescribing portal for them. A little more checking revealed that similar pages had been set up for dozens of the most prominent healthcare insurers and healthcare business associates in the U.S.
The party claiming responsibility for the portals gave a Gmail address for the business and a street address and phone number in Florida. A Google lookup revealed the business address to be a residence.
Abandoning thoughts of a quiet Sunday evening, we both started reaching out to contacts who could alert relevant entities and get these pages taken down.
In addition to contacting some intel contacts in health insurance, and leaving a voicemail on the fraud line for the prescription management service, DataBreaches also reached out to a Microsoft abuse-reporting URL to give them the URL of the blob and information that there were dozens of organizations that were being targeted.
Within minutes, we received an email receipt from Microsoft.
Less than 1 minute later, we received an email that the case had been closed because they couldn’t validate it so no action was taken.
Seriously, Microsoft? Did anyone actually READ the report I submitted, or did you just have some AI determination that what I filled in for time of incident or something could not be verified?
Are you seriously interested in stopping abuse, Microsoft? If so, why didn’t you provide a phone number to call or a way to reach back out to make sure that you looked at the report and took action or directed it to the proper recipient?
DataBreaches also sent an email to an FBI agent and someone at HHS who are both involved in cybercrime issues to alert them to the situation. Maybe they’ll have better luck with Microsoft getting the blob taken down and the blob owner confirmed and investigated.
If anyone has a contact at Microsoft, the case number was SIR15482152. MSFT can call me at the phone number provided or the one listed on this website if they need additional details to what I provided in the notes or narrative with the URL.