Business Email Compromise (BEC) , Fraud Management & Cybercrime , Healthcare
FBI, HHS Warn Health Sector of Payment Diversion Schemes
Scammers Use Social Engineering and Phishing to Fool Workers and IT Help Desk StaffFederal authorities warn of social engineering and phishing scams - sometimes targeting IT help desk workers - that allow attackers to steal login credentials and access healthcare sector entities' IT systems so they can divert automated clearinghouse payments to bank accounts the attackers control.
See Also: 5 Real-Life Examples of Cyberattacks and How to Stop Them
Once the threat actors access the healthcare sector employees' email accounts, they pivot to specifically target login information related to the processing of reimbursement payments to insurance companies, Medicare or similar payors, said the FBI and the Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in a joint advisory issued on Monday.
"To gain initial access to victim networks, the threat actor acquired credentials through social engineering or phishing. In some observed instances, the threat actor called an organization's IT help desk posing as an employee of the organization, and triggered a password reset for the targeted employee's organizational account," the warning says.
In some of the schemes manipulating IT help desk employees, threat actors managed to bypass multifactor authentication. In one instance, they registered a phishing domain that varied by one character from the victim organization's actual domain and then targeted the organization's chief financial officer, the alert says.
"The threat actors often have personally identifiable information of the impersonated employee, obtained from data breaches, enabling the threat actor to confirm the targeted employees' identity over the phone," it says. "If a social engineering attempt is successful, the threat actor then logs onto the victim account and attempts to use living-off-the-land techniques."
LOTL gives threat actors the opportunity to conduct malicious cyberattacks discreetly as they can camouflage activity with typical system and network behavior, the alert says.
"By using LOTL, threat actors were able to amend forms to make automated clearinghouse changes to patients' accounts which enabled the diversion of legitimate payments to U.S. bank accounts controlled by the actors," authorities said. That's then followed by a second transfer of funds to overseas accounts. "In some instances, the threat actor also attempted to upload malware to victim systems without success," the alert says.
Earlier Warnings
The American Hospital Association issued an alert on Tuesday based on the FBI and HHS HC3 advisory, to warn hospitals about these scams. The threats were also the subject of related warnings by the AHA and HHS in January and April (see: AHA: Rise in Scams Targeting IT Help Desks for Payment Fraud).
The latest joint advisory by FBI and HHS "validates the ongoing and serious nature of these social engineering schemes," the AHA said in its latest warning.
"The AHA continues to receive similar reports from the field in regard to IT and human resources help desk social engineering schemes," said John Riggi, national adviser for cybersecurity and risk at the AHA, in a statement.
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, said all healthcare organizations should take these warnings seriously.
"When we see alerts like this, especially from the FBI, it's because they're responding to incidents and doing what they can to help warn the community about these attacks," Weiss said.
Healthcare sector organizations should review the threat actor behaviors and indicators of compromise described in the alerts to better protect their networks. "Most importantly, follow the recommendations - especially about implementing multifactor authentication to protect privileged accounts and ensure MFA is also enabled on all remote access accounts," he said.
Healthcare organizations should also consider conducting social engineering tests of all help desk functions and instituting multi-person authentication for any change to organizational level payment instructions, according to the AHA.
Weiss agrees. "IT help desks are doing their jobs - helping employees, but sometimes also helping the bad guys when they are fooled by cybercriminals to reset MFA credentials and send them authorization codes," he said.
"Organizations can implement more thorough checks like having the employee's supervisor validate the request or use technology like voice recognition to enhance the authentication process.
"The timing of the advisory is also important with the Fourth of July holiday coming up. That means more people out of the office and more time for the cybercriminal attacks to possibly go unnoticed," Weiss said.