Feds Warn of Phishing and Social Engineering Campaign Targeting Healthcare Organizations
A joint cybersecurity advisory has been issued by the Federal Bureau of Investigation (FBI) and the Department of Health and Human Services (HHS) about an ongoing social engineering campaign targeting the healthcare and public health (HPH) sector. The campaign has been running since August 2023 and seeks access to email account credentials to divert automated clearinghouse (ACH) payments to U.S. bank accounts under the threat actor’s control.
The threat actor targets email accounts and once access has been gained, pivots to targeting login credentials that allow them to make changes to accounts involved in reimbursement payments to insurance companies, Medicare, and other entities. Two methods have been identified for initial access to email accounts. Phishing emails are sent that direct the recipient to a spoofed webpage where credentials are harvested. The domains used for this campaign closely resemble the domains used by the targeted organization, differing by one character.
An alternative method involves vishing calls to the targeted organization’s IT helpdesk. Social engineering tactics are used to trick IT helpdesk workers into performing a password reset and, in some instances, registering a new device to receive multifactor authentication codes. Personal information obtained in past data breaches may be provided to the helpdesk employees to pass identity verification checks.
Once access has been gained to an email account, the threat actors use living-off-the-land techniques to hide their malicious activities within legitimate system and network behavior. Successful attacks allow the threat actor to amend forms to make ACH changes to patients’ accounts to divert legitimate payments to their own accounts. The funds are then withdrawn and are sent overseas.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The alert includes VOIP numbers that are known to have been used in the campaign. Organizations are advised to check their phone logs to determine if calls have been received from any of the numbers and to investigate to determine what information was disclosed if calls have been received. The FBI and HHS suggest recommended mitigations to make it harder for these attacks to succeed. They include implementing multi-factor authentication for all accounts, providing training to IT help desk employees to alert them about the campaign, reviewing logs for the execution of remote access software, using security software that can detect remote access software that is only loaded in the memory, only permitting remote access software to be used within the network or via a VPN, and blocking common remote access software ports and protocols at the network perimeter.
