The Federal Bureau of Investigation (FBI) has issued an alert about hackers targeting healthcare payment processors to route payments to bank accounts controlled by the attacker.
This year alone, threat actors have stolen more than $4.6 million from healthcare companies after gaining access to customer accounts and changing payment details.
Cybercriminals are combining multiple tactics to obtain login credentials of employees at payment processors in the healthcare industry and to modify payment instructions.
The FBI says that it received multiple reports where hackers are using publicly available personal details and social engineering to impersonate victims with access to healthcare portals, websites, and payment information.
Phishing and spoofing support centers are additional methods that help hackers achieve their goal of gaining access to entities that process and distribute healthcare payments.
FBI’s alert today notes that this specific threat actor activity includes sending phishing emails to financial departments of healthcare payment processors.
They are also modifying Exchange Servers’ configuration and setting up custom rules for targeted accounts, likely to receive a copy of the victim’s messages.
Millions of dollars stolen
The FBI says that in just three such incidents in February and April this year, hackers diverted to their accounts more than $4.6 million from the victims.
In February, one threat actor used credentials “credentials from a major healthcare company” to replace the direct deposit banking information of a hospital with accounts they controlled, stealing $3.1 million.
In a separate incident the same month, cybercriminals used the same method to steal about $700,000 from another victim.
Another attack happened in April when a healthcare company with more than 175 medical providers lost $840,000 to a threat actor that impersonated an employee and change the Automated Clearing House (ACH) instructions.
This type of incident is neither singular nor new. The federal agency says that between June 2018 and January 2019 hackers “targeted and accessed at least 65 healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cyber criminals.”
The FBI has compiled a short list of indicators of compromise that could help healthcare organizations spot cybercriminal attempts to gain access to user accounts.
Organizations should deem suspicious any changes to the email server that have not been planned or happen without a legitimate reason.
Employees requesting a reset of passwords and phone numbers for two-factor authentication (2FA) within a short period should also trigger an alarm, just as reports of failed password recovery attempts.
Among the mitigations the FBI proposes is running regular network security assessments (e.g. penetration testing, vulnerability scans) to ensure compliance with current standards and regulations.
Additional recommendations include:
training for employees to identify and report phishing, social
engineering, and spoofing attempts
authentication or barrier layers to decrease or eliminate the viability of phishing
multi-factor authentication for all accounts and login credentials via hardware tokens
mitigate vulnerabilities related to third-party vendors
company policies should include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations
setting up protocols for employees to report suspicious activity: changes in email server configuration, denied password recovery attempts, password resets, changing 2FA phone numbers
immediately reset passwords for accounts identified during a system or network compromise
minimize exposure through timely patching systems and updating security solutions