“You have cancer” phishing attack shows how low cybercriminals will go

A “particularly unpleasant” phishing email purporting to be the results of a blood count report showing that the recipient may have cancer is circulating in the UK, claiming to be sent from a government health care organization, and containing an infected attachment claiming to be a blood analysis report.

NICE (the National Institute for Health and Care Excellence) has posted a spam warning, saying, “NICE is aware that a spam email is being sent to members of the public regarding cancer test results. Please be assured that this email is not from NICE and we are currently investigating its origin. If you have received the email, do not open the attachments.”

Eduard Kovacs of Softpedia reports that the emails arrive with a subject line IMPORTANT: blood analysis results” and appear to come from the email address, “no_reply@nice.org.uk.”

British anti-fraud organization Action Fraud warns users that the file is “likely to contain malware” and reports that one variant of the email says, “We have been sent a sample of your blood analysis for further research. During the complete blood count (CBC) we have revealed that white blood cells is very low, and unfortunately we have a suspicion of a cancer… We suggest you to print out your CBC test results and interpretations in attachment below and visit your family doctor as soon as possible. Sincerely, Dr.Moon Earnest.”

ESET Senior Research Fellow David Harley describes the phishing attack as “particularly unpleasant” in a blog post,  and says, “This is more than spam: it contains an attachment claimed to be a blood count report suggesting that the recipient may have cancer, but in fact it’s a password stealer.”
Harley points out that certain features of the email are unconvincing, and that the criminals rely on users panicking, “Firstly, it’s likely that if you’d given a sample for a blood test you’d remember. However, there’s obviously a chance that some of these messages might reach people who have actually given samples recently, and would be more likely to be panicked into clicking on the malicious attachment. Secondly, NICE is not in the business of doing blood tests: its remit is rather more abstract. But again, the hope is that the victim will be too panicked to check properly.”