amenex wrote:
"The website uses the ASP server-side programming language, which requires a
Microsoft server, and the sourcecode of the website expects Internet Explorer
(IE 11)."
I suggest finding out a bit more about what versions of Windows and ASP the
website is running on, and what known vulnerabilities haven't been patched in
those versions. I'd be very surprised if you can't find some genuine security
risks in a website optimized for a browser released in 2013, based on a
proprietary scripting language created by 1990s Microsoft.
Come up with a few examples of how your Blackhat Evil Twin could use those
vulnerabilities to catastrophically mess with your health provider. 3-5
examples should do, including things like using the website to tunnel into
the internal network and copy the client database, or hijacking the Windows
server to send trojans to every email address in the database, disguised as
password reset requests.
Send that information to the risk assessment department of the insurance
company that insures your health provider, with a copy cc'd to their IT
department. Tell the insurance company that the best way to permanently fix
these vulnerabilities is to migrate the website to a modern infrastructure,
which supports web standards in a vendor-neutral fashion. Let the inherently
risk-averse nature of the insurance industry do the pestering for you.
Optional step:
If they show no signs of taking action, post your research here, with a
strict warning that nobody should even think about posting the info
anonymously on 4Chan. Yes, I've been watching too much Mr Robot ;)
