FBI: Millions in Losses resulted from attacks against Healthcare payment processors
The FBI has issued an alert about threat actors targeting healthcare payment processors in an attempt to hijack the payments.
The Federal Bureau of Investigation (FBI) has issued an alert about cyber attacks against healthcare payment processors to redirect victim payments.
Threat actors used employees’ publicly-available Personally Identifiable Information (PII) and social engineering techniques to impersonate victims and obtain access to files, healthcare portals, payment information, and websites.
The FBI also reported one attack in which the threat actors changed victims’ direct deposit information to a bank account under their control and redirected $3.1 million payments.
“Cyber criminals are compromising user login credentials of healthcare payment processors and diverting payments to accounts controlled by the cyber criminals. Recent reporting indicates cyber criminals will continue targeting healthcare payment processors through a variety of techniques, such as phishing campaigns and social engineering, to spoof support centers and obtain user access.” reads the alert.
Below are some cases included in the alert:
April 2022: Threat actors posing as an employee of a healthcare company with more than 175 medical providers changed Automated Clearing House (ACH) instructions of one of their payment processing vendors to redirect the payments. The crooks stole approximately $840,000 dollars over two transactions prior to the discovery.
February 2022: an attacker obtained credentials from a major healthcare company and changed direct deposit banking information from a hospital to a consumer checking account under the control of the cyber-criminal. The attacker stole $3.1 million with this attack.
February 2022: in a separate incident a different threat actor used the same technique to steal approximately $700,000.
From June 2018 to January 2019: cyber criminals targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts under their control. In one case, the victim reported having lost approximately $1.5 million. In this case, the attackers used both publicly available PII and data gained through phishing attacks aimed at gaining access to customer accounts.
The alert also reported potential indicators of malicious activities against user accounts, including phishing emails targeting financial departments of healthcare payment processors, suspected social engineering attempts to obtain access to internal files and payment portals, unwarranted changes in email exchange server configuration and the settings of custom rules for specific accounts, requests for employees to reset both passwords and 2FA phone numbers within a short timeframe, and employees reporting they are locked out of payment processor accounts due to failed password recovery attempts.
Below is the list of mitigations recommended by the FBI:
Ensure anti-virus and anti-malware is enabled and security protocols are updated regularly and in a timely manner. Well-maintained anti-virus and anti-malware software may prevent commonly used attacker tools.
Conduct regular network security assessments to stay up to date on compliance standards and regulations. These should include performing penetration tests and vulnerability scans to ensure the knowledge and level of current system and security protocols.
Implement training for employees on how to identify and report phishing, social engineering, and spoofing attempts. As budget constraints allow, consider options in authentication or barrier layers to decrease or eliminate the viability of phishing.
Advise all employees to exercise caution while revealing sensitive information such as login credentials through phone or web communications. Employees should conduct requests for sensitive information through approved secondary channels.
Use multi-factor authentication for all accounts and login credentials to the extent possible. Viable choices such as hard tokens allow access to software and verifies identity with a physical device instead of authentication codes or passwords.
Update or draft an incident response plan, in accordance with Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
Mitigate vulnerabilities related to third-party vendors. Outside communication exchanges should contain email banners to alert employees of communications originating outside of the organization. Review and understand the vendor’s risk threshold and what comprises a breach of service.
Verify and modify as needed contract renewals to include the inability to change both credentials and 2FA within the same timeframe to reduce further vulnerability exploitations.
Ensure company policies include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations. Any direct request for account actions needs to be verified through the appropriate, previously established channels before a request is sanctioned.
Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including 2FA phone numbers within a short timeframe to IT and security departments for investigation.
Require all accounts with password logins (e.g., service account, admin accounts, and domain admin accounts) to have strong, unique passphrases. Passphrases should not be reused across multiple accounts or stored on the system where an adversary may have access. (Note: Devices with local administrative accounts should implement a password policy that requires strong, unique passwords for each administrative account.)
If there is evidence of system or network compromise, implement mandatory passphrase changes for all affected accounts.
Timely patching is one of the most efficient and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.
