Healthcare and public health organizations have been warned that hackers are attempting to breach their systems using a sophisticated social-engineering scam targeting IT help desk staff.
The warning is contained in a sector alert (PDF) issued by the Health Sector Cybersecurity Coordination Center (HC3) of the U.S. Department of Health and Human Services.
According to the alert, the attacks begin with a threat actor, claiming to be a finance department employee, making a call to the help desk from an area code that appears to be local to the targeted organization.
The scammer claims their mobile is broken and asks for a new device to be enrolled for multi-factor authentication (MFA) so they can access their account. They make the calls armed with authentic information about the staff member they are impersonating, including their Social Security and corporate ID numbers.
“These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches,” the alert said.
After persuading a help desk agent to grant their MFA request, and then accessing the compromised account, the hackers target login details for payer websites. They divert legitimate payments to U.S. bank accounts they control, before sending the proceeds on to overseas accounts.
HC3 said in one case, hackers registered a domain with a single letter variation to the target organization, and used it to create a fake but convincing email account to impersonate the organization’s chief financial officer.
Similar scam used in MGM attack
While the threat actors behind the health sector attacks have not been identified, HC3 noted Scattered Spider used similar social-engineering techniques to gain initial access ahead of its September 2023 ransomware attack on MGM Resorts.
“While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals,” the alert stated.
Traditional email spearphishing, despite being around for decades, continues to prove an effective tool for attackers (and a potentially disastrous weakness for target organizations). But when a malicious actor phones a help desk, the voice component adds a sense of urgency for the agent handling the call.
“It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements,” HC3 said.
A recent McAfee study found that out of 7,000 people surveyed, 1 in 4 said that they had experienced an AI voice cloning scam, or knew someone who had.
“With a small sample of a person’s voice and a script cooked up by a cybercriminal, these voice clone messages sound convincing,” McAfee’s Amy Bunn said.
“70% of people in our worldwide survey said they weren’t confident they could tell the difference between a cloned voice and the real thing.”
The HC3 alert listed several approaches healthcare organizations could implement to mitigate the risks of sophisticated social-engineering attacks, including requiring callbacks to the phone number on record for an employee requesting a password reset or a new MFA device enrollment.
“Some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests. Another suggestion is implementing policies that require the supervisor of the employee to be contacted to verify these requests. Additionally, users can be trained to identify and report social engineering techniques and spearphishing attempts, while also being suspicious of and verifying the identify of callers.”
