The FBI and HHS have issued a joint alert to healthcare leaders about a social engineering campaign targeting healthcare organizations.
According to the June 24 alert, hackers are using phishing schemes to steal login credentials, enabling unauthorized access and diversion of automated clearing house (ACH) payments to U.S.-controlled bank accounts. These attacks often begin with hackers gaining access to employees' email accounts through social engineering or phishing. Once access is gained, they specifically target login information related to reimbursement payments for insurance companies and Medicare.
Notable methods include:
- Impersonating employees to manipulate IT help desk personnel and bypass multifactor authentication.
- Registering phishing domains similar to the organization's true domain to deceive and target executives like the CFO.
- Using personally identifiable information from data breaches to confirm employees' identities.
Once access is secured, the organizations said hackers employ "living off the land" techniques to blend malicious activities with normal system behavior. They amend forms to redirect ACH payments to their own accounts and then transfer funds overseas. Some attempts also include uploading malware.
HHS and the FBI urged healthcare leaders to implement recommended mitigations to protect against these sophisticated attacks. These recommendations include implementing email security, adding multifactor authentication and adopting centralized log collection.