The FBI has observed a rise in threat actors compromising user credentials of healthcare payment processors to redirect payments from their victims to bank accounts in their control, according to a private industry notification.
Multiple reports to the FBI detail the cybercriminals’ tactics, which center on the use of publicly available personally identifiable information of the victims’ employees in tandem with social engineering tactics. The successful campaigns enable the actors to impersonate victims and gain access to the victims’ files, healthcare portals, payment information, and websites.
In one documented case at a “major healthcare company” the threat actors stole credentials and changed the direct deposit account from the hospital to a consumer checking account in their control, enabling them to redirect $3.1 million into their own account. The same entity faced a second successful payment redirect by another group later that month, losing $700,000.
In April, another healthcare company with over 175 medical providers found a hacker had posed as an employee and changed the Automated Clearing House instructions of one payment processing vendor to redirect payments, which resulted in two successful diversions of about $840,000.
FBI data shows at least 65 healthcare payment processors in the U.S. were targeted between June 2018 to January 2019, enabling access and the replacement of “legitimate customer banking and contact information with accounts controlled by the cybercriminals.”
In one of these earlier instances, a victim reported a $1.5 million loss after hackers used a combination of publicly available PII and phishing schemes to access customer accounts.
“Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.” And the FBI believes these targeted attacks will continue, predominantly using phishing and social engineering campaigns that “spoof support centers and obtain user access.”
The alert details potential indicators of compromise and common tactics, which entities should leverage to prevent similar losses. Organizations should specifically monitor for phishing emails that specifically target the financial departments of healthcare payment processors.
Further, it’s suspected that the social engineering attempts are seeking access to both the payment portal and internal files with specific requests for employees to reset both passwords and the phone numbers used for two-factor authentication within a short timeframe.
In some instances, employees have reported being locked out of their payment processor accounts due to failed password recovery attempts.
The alert contains a host of recommended actions that center around employee training and awareness, as well as potential authentication weaknesses and bolstered vulnerability management.
Protocols will be crucial to preventing these types of losses. Providers should ensure company policies include requirements for any changes to existing invoices and deposits, including barring account actions without explicit verification of established organizational channels.
“Create protocols for employees to report suspicious emails, changes to email exchange server configurations, denied password recovery attempts, and password resets including 2FA phone numbers within a short timeframe to IT and security departments for investigation,” the FBI warned.
