HC3 Warns of Increase in Vishing Attacks and the Dangers of Social Engineering
The Health Sector Cybersecurity Coordination Center has issued a warning about social engineering and voice phishing (vishing) attacks on the healthcare and public health (HPH) sector.
In cybersecurity terms, social engineering is the manipulation of individuals by malicious actors to further their own aims. It is a broad term that covers many different types of attacks, including phishing, spear phishing, whaling, baiting, vishing, callback phishing, SMS phishing (smishing), deepfake software, and business email compromise (BEC).
In phishing attacks, social engineering techniques are used to trick employees into disclosing sensitive information such as protected health information, login credentials that allow the threat actor to gain a foothold in the network, or installing malware that provides remote access to devices and the networks to which they connect. These attacks may be conducted in mass campaigns or can be highly targeted, with the victims researched and lures crafted for specific individuals.
Phishing is one of the most common types of social engineering attacks, and it is the initial access vector in a large percentage of cyberattacks on the healthcare industry. The 2021 HIMSS Healthcare Cybersecurity Survey suggests phishing was involved in 45% of healthcare security incidents over the past 12 months, followed by ransomware attacks. Ransomware threat actors often use phishing to gain initial access to healthcare networks, and several groups associated with the Conti ransomware operation are now using callback phishing as one of the main ways to gain the access they need to conduct their attacks. Callback phishing was first used by the Ryuk ransomware gang in the BazarCall campaigns, where victims were tricked into installing BazarLoader malware that provided remote access to their networks. Ryuk rebranded as Conti, and three breakaway groups started using these callback phishing techniques again in March 2021.
Callback phishing is a hybrid form of phishing where initial contact is made via email and social engineering is used to trick people into calling the provided telephone number. The lure used in these attacks is often a warning about an impending invoice, subscription expiry, or the end of a free trial, with charges incurred if no action is taken. Initial contact is made via email, but no hyperlinks or email attachments are used, only a phone number is provided. Email security solutions often do not flag these emails as malicious and are unable to check if a telephone number is malicious or legitimate.
According to cybersecurity firm Agari, phishing volumes increased by 6% from Q1 2022 to Q2, 2022, whereas hybrid phishing attacks (including callback phishing) increased by 625%. According to the IBM Security X-Force team, in Q4, 2021, phishing attacks accounted for 42% of attacks, up from 30% the previous quarter.
Vishing attacks are conducted exclusively over the telephone. In September 2020, threat actors impersonated a Michigan health system and called patients to steal their member numbers and PHI, with the caller ID spoofed to make it appear that the call originated from the health system.
Phishing and other types of social engineering attacks are a leading cause of healthcare data breaches and healthcare organizations are particularly vulnerable to these attacks, especially larger organizations where employees are unlikely to know all of their co-workers. These attacks abuse trust, and healthcare employees are naturally trusting and have a desire to help. People also want to look intelligent and not have to seek help. They also do not want to get in trouble so may not report falling for a scam. Healthcare environments are also busy with employees often under time pressure, leading to people taking shortcuts that can open the door to scammers.
Defending against social engineering can be a challenge since the attacks can occur via email, SMS, instant messaging services, social media networks, websites, SMS, and over the phone, and hybrid phishing attacks are unlikely to be detected by traditional cybersecurity solutions. The key to defending against these attacks is to implement multiple layers of defenses, update policies and procedures to close security gaps, and provide regular security awareness training to the workforce.
HC3 suggests the following steps to improve defenses against social engineering attacks:
To protect against hybrid phishing attacks, smishing, and vishing, security awareness training is key.
- Regular security awareness training should be provided – multiple times a year. Consider modular CBT training courses to fit training into busy healthcare workflows
- Keep employees abreast of the latest campaigns targeting the sector, including the latest health-related themes such as COVID-19 and Monkeypox
- Instruct employees to confirm receipt of an email from a known sender via a trusted communication method or contact
- Secure VoIP servers and look for evidence of existing compromise (such as web shells for persistence)
- Block malicious domains and other indicators associated with campaigns
- Consider switching your organization’s MFA setting or configuration to require a one-time password (OTP) versus a push notification to mitigate MFA fatigue
- Conduct phishing simulation exercises on the workforce, including hybrid phishing simulations