The Federal Bureau of Investigation (FBI) has released a TLP:WHITE Private Industry Notification notifying about persistent cybercriminal efforts attacking healthcare payment processors that endeavor to direct victim payments to accounts controlled by the attackers.
These attacks employ social engineering techniques to get the sign-in information of healthcare payment processors to enable them to reroute payments, for instance, phishing attacks that spoof support offices. The attackers have utilized publicly available personally identifiable information to access files, healthcare websites, payment data, and sites.
The aim of these attacks is to modify direct deposit details. In an attack on a large healthcare firm that happened in February 2022, modifications to direct deposit data of a customer checking account resulted in paying a total of $3.1 million sent straight to the attacker’s account. In the same month, a separate attack took place that employed the same tactics to redirect about $700,000.
In April 2022, a healthcare organization with 175 medical providers uncovered an attack where a worker was impersonated and Automated Clearing House (ACH) information of one of their payment processing vendors was sent to the bank account of a cybercriminal, which resulted in sending two payments with a total of $840,000 to the attacker’s account.
The FBI claims that between June 2018 and January 2019 a minimum of 65 healthcare payment processors were attacked in America and contact details and banking details were modified to deposit payments to attacker-managed accounts, with one of those attacks causing the loss of payments totaling $1.5 million, with the first access to a customer account being obtained via phishing. The FBI warns that entities concerned with the processing and releasing of healthcare payments via payment processors continue to be prone to attacks like this.
Attackers send phishing emails to staff in the financial divisions of a targeted healthcare payment manager. A respected individual is usually impersonated, and social engineering techniques are utilized to mislead workers into making alterations to bank accounts. Sign-in credentials are stolen in these attacks that permit the attacker to alter email exchange server configurations and make custom protocols for accounts of interest.
Personnel that was targeted have revealed getting requests to modify passwords and 2FA phone numbers in a limited period of time. The attackers alter account credentials to enable continual access and the workers whose accounts were hacked report being locked out of their payment processor accounts as a result of unsuccessful password recovery attempts.
The FBI gave recommendations on how to guard against these attacks and minimize the threat of compromise. These comprise:
- Make sure endpoint detection software is employed on all endpoints, which include updated anti-virus and anti-malware programs
- Carry out regular network security testing, penetration tests, and vulnerability scanning
- Offer training to the personnel to teach them how to recognize phishing and social engineering attacks, and have a quick means for them to report suspicious email messages – for example, an Outlook plugin that permits one-click reporting
- Make sure staff understand that they must merely conduct requests for sensitive data by means of permitted secondary channels
- Establish multi-factor authentication for all accounts, essentially demanding a physical device for avalidation – like a Yubikey – as opposed to a one-time code provided to a mobile unit
- Check and adjust as required contract renewals to consist of the incapability to modify both credentials and 2FA in an identical time period to lessen more vulnerability exploitations.
- Use guidelines and procedures for modifying present financial details to include proof through a proper, established channel
- Make certain to set strong, unique passwords
- Be sure software is current and patches are employed quickly to avert vulnerability exploitation.