The FBI has issued a warning that threat actors are targeting healthcare payment processors in an attempt to hijack payments.
The Federal Bureau of Investigation (FBI) has issued an alert about a cyberattack targeting healthcare payment processors to redirect victim payments.
Threat actors use employees’ publicly identifiable information (PII) and social engineering techniques to impersonate victims and gain access to files, healthcare portals, payment information, and websites.
The FBI also reported an attack in which a threat actor changed a victim’s direct deposit information to a bank account they controlled and redirected $3.1 million in payments.
“Cybercriminals are compromising user login credentials for healthcare payment processors and transferring payments to accounts controlled by cybercriminals. Recent reports suggest that cybercriminals will continue to use various techniques such as phishing campaigns and social engineering ) targeting healthcare payment processors to deceive support centers and gain user access.” reads the alert.
Here are some of the cases included in the alert:
- April 2022: A threat actor posing as an employee of a healthcare company with more than 175 healthcare providers changed the Automated Clearing House (ACH) instructions for one of its payment processing providers to redirect payments. The crooks stole approximately $840,000 in two transactions before they were discovered.
- February 2022: Attackers obtain credentials from a major healthcare company and change direct deposit bank information from a hospital to a consumer checking account controlled by cybercriminals. The attackers stole $3.1 million through this attack.
- February 2022: In another incident, another threat actor stole approximately $700,000 using the same technique.
- From June 2018 to January 2019: Cybercriminals targeted and accessed at least 65 healthcare payment processors across the United States to replace legitimate customer banking and contact information with accounts they controlled. In one case, victims reported losses of approximately $1.5 million. In this case, the attackers used publicly available PII and data obtained through phishing attacks to gain access to customer accounts.
The alert also reports potential indicators of malicious activity against user accounts, including phishing emails targeting the finance department of healthcare payment processors, suspicious social engineering attempts to gain access to internal files and payment portals, email exchange servers Unwarranted changes to account-specific rules for configuration and customization, requiring employees to reset passwords and 2FA phone numbers within a short period of time, and employees reporting being locked out of payment processor accounts due to failed password recovery attempts.
Below is a list of mitigations recommended by the FBI:
- Make sure antivirus and antimalware software is enabled, and security protocols are updated regularly and up to date. Well-maintained antivirus and antimalware software may block common attacker tools.
- Conduct regular cybersecurity assessments to stay informed about compliance standards and regulations. These should include performing penetration tests and vulnerability scans to ensure knowledge and level of current systems and security protocols.
- Implement employee training on how to identify and report phishing, social engineering, and deception attempts. Consider options in authentication or barrier layers to reduce or eliminate the viability of phishing, as budget constraints allow.
- All employees are advised to exercise caution when disclosing sensitive information such as login credentials via phone or web communications. Employees should make requests for sensitive information through approved secondary channels.
- Use multi-factor authentication for all accounts and login credentials whenever possible. Viable options such as hard tokens allow access to software and use a physical device instead of an authentication code or password to verify identity.
- Update or draft an incident response plan in accordance with the Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules.
- Mitigate vulnerabilities associated with third-party vendors. External communications should include email banners to alert employees to communications from outside the organization. View and understand the vendor’s risk thresholds and what’s violating the service.
- Validate and modify contract renewals as needed to include the inability to change credentials and 2FA within the same time frame to reduce further exploits.
- Make sure company policy includes validating any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizations. Any direct requests for account operations will need to be verified through the appropriate, previously established channels before the request can be approved.
- Create protocols for employees to report suspicious emails, email exchange server configuration changes, deny password recovery attempts, and password resets (including 2FA phone numbers) to IT and security at short notice for investigation.
- Require that all accounts that use passwords to log in (for example, service accounts, administrator accounts, and domain administrator accounts) have a strong and unique passphrase. Passphrases should not be reused across multiple accounts or stored on systems that an adversary may have access to. (Note: Devices with local administrative accounts should implement a password policy that requires a strong and unique password for each administrative account.)
- If there is evidence that a system or network is compromised, implement mandatory password changes for all affected accounts.
- Timely patching is one of the most effective and cost-effective steps an organization can take to minimize its exposure to cybersecurity threats.
Follow me on Twitter: @securityaffairs and Facebook
(security affairs – hacking, healthcare)