The FBI has issued an alert about threat actors targeting healthcare payment processors in an attempt to hijack the payments.
The Federal Bureau of Investigation (FBI) has issued an alert about cyber attacks against healthcare payment processors to redirect victim payments.
Threat actors used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.
The FBI also reported one attack in which the threat actors changed victims’ direct deposit information to a bank account under their control and redirected $3.1 million payments.
“Cyber criminals are compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cyber criminals. Recent reporting indicates cyber criminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.” reads the alert.
Below are some cases included in the alert:
- April 2022: Threat actors posing as an employee of a healthcare company with more than 175 medical providers changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to redirect the payments. The crooks stole approximately $840,000 dollars over two transactions prior to the discovery.
- February 2022: an attacker obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account under the control of the cyber-criminal. The attacker stole $3.1 million with this attack.
- February 2022: in a separate incident a different threat actor used the same technique to steal approximately $700,000.
- From June 2018 to January 2019: cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts under their control. In one case, the victim reported having lost approximately $1.5 million. In this case, the attackers used both publicly available PII and data gained through phishing attacks aimed at gaining access to customer accounts.
The alert also reported potential indicators of malicious activities against user accounts, including phishing emails targeting financial departments of healthcare payment processors, suspected social engineering attempts to obtain access to internal files and payment portals, unwarranted changes in email exchange server configuration and the settings of custom rules for specific accounts, requests for employees to reset both passwords and 2FA phone numbers within a short timeframe, and employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.
Below is the list of mitigations recommended by the FBI:
- Ensure anti-virus and anti-malware is enabled and security protocols are updated regularly and in a timely manner. Well-maintained anti-virus and anti-malware software may prevent commonly used attacker tools.
- Conduct regular network security assessments to stay up to date on compliance standards and regulations. These should include performing penetration tests and vulnerability scans to ensure the knowledge and level of current system and security protocols.
- Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts. As budget constraints allow, consider options in authentication or barrier layers to decrease or eliminate the viability of phishing.
- Advise all employees to exercise caution while revealing sensitive information such as login credentials through phone or web communications. Employees should conduct requests for sensitive information through approved secondary channels.
- Use multi-factor authentication for all accounts and login credentials to the extent possible. Viable choices such as hard tokens allow access to software and verifies identity with a physical device instead of authentication codes or passwords.
- Update or draft an incident response plan, in accordance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
- Mitigate vulnerabilities related to third-party vendors. Outside communication exchanges should contain email banners to alert employees of communications originating outside of the organization. Review and understand the vendor’s risk threshold and what comprises a breach of service.
- Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
- Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.
- Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including 2FA phone numbers within a short timeframe to IT and security departments for investigation.
- Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
- If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
- Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, healthcare)