HHS HC3 Warns of Vishing, Other Social Engineering ScamsFeds Urge Healthcare Sector Entities to Be Vigilant, Take Action
Social engineering poses significant data security threats to healthcare and public sector entities, federal authorities warn, urging entities to take steps to avoid falling victim.
The Department of Health and Human Services' Health Sector Cybersecurity Coordination Center in two advisories released late last week advise healthcare entities to stay attentive to and proactive against social engineering scams.
In particular, HHS HC3 says it has seen a "marked increase" across many sectors, including healthcare, in attacks involving so-called vishing, or voice phishing - which is similar to email phishing, but often involves phone calls or email requests for unsuspecting users to call back the fraudsters or take other actions online.
Healthcare Especially Vulnerable
Healthcare sector entities are a ripe target for social engineering schemes for an assortment of reasons.
"Healthcare workers provide care in a compassionate and caring environment assisting people in a time of need," says Dave Bailey, vice president of security services at privacy and security consultancy, CynergisTek. "This type of environment can make it easier for a bad actor to exploit a situation or condition to have a healthcare worker fall victim to a scam."
Healthcare works often must act quickly and under pressure, an environment that can make time for close scrutiny for potential phishing or vishing hard to come by. "The importance of responding promptly to patient care needs can sometimes override caution," says Kate Borten, president of privacy and security consulting firm The Marblehead Group.
"Training is essential, including simulated phishing - and now vishing - attacks, but not enough," "Phishing and vishing scams can be sophisticated and subtle, so the workforce needs reminders to stop and think, and call their cybersecurity hotline when in doubt."
Michael Hamilton, CISO of security firm Critical Insight, says the problem is actually pretty simple: "It's gullible people," he says.
Organizations can nonetheless take steps to help prevent social-engineered attacks from escalating into the major compromises and security incidents, he says.
"People are going to give up passwords. People are going to trip over bad websites," he says. The trick is to look for signals of that occurring "and when you see something aberrational happening that gives you the ability to quickly investigate that and put out the grease fire on the stove before the house is involved in flames," he says.
In September 2020, threat actors posing as employees of a Michigan health system carried out a vishing campaign that involved calling patients to steal their member numbers and protected health information, says HC3. "These fake phone calls even 'spoofed' caller ID and appeared to be originating from a legitimate phone number belonging to the healthcare entity," the advisory says.
Advanced persistent threat groups, such as state-sponsored threat actors, also use "voice-changing software" to trick targets into installing malware (see: DeepFakes Voice Impersonators Used in Vishing-as-a-Service).
A recent study by security firm Agari found that the use of "hybrid vishing" - also referred to as "callback phishing" - grew by 625% in the second quarter of 2022, compared with the first quarter.
Hybrid vishing involve multi-stage attacks that differ from traditional vishing by first interacting with the victim via email with the objective of obtaining sensitive information or distributing malware, HHS HC3 says.
These so called, "callback phishing" attacks first surfaced around March 2021 by the "BazarCall/BazaCall" campaigns to gain initial access to corporate networks for ransomware attacks, HHS HC3 says.
More recently, in May 2022, "a major U.S.-based telecommunications company" experienced a cyber incident involving a series of sophisticated vishing attacks against an employee, HHS HC3 writes.
The threat actor, later identified as an initial access broker with ties to the UNC2447 cybercrime gang – also known as Lapsus$ - and Yanluowang ransomware operators gained access from a user that had enabled password syncing via Google Chrome and had stored their work credentials in their browser, HC3 says.
After obtaining the user’s credentials, the attacker attempted to bypass multifactor authentication using a variety of techniques, including vishing and "multifactor authentication fatigue", which involves the threat actor sending a high volume of push requests to the target’s mobile device until the individual accepts, either accidentally or in an attempt to silence the repeated push notifications.
HHS HC3 urges healthcare sector entities to take action to prevent falling victim to cyber incidents involving social engineering, including vishing. That includes:
- Implementing backups;
- Regularly updating software;
- Imposing proper credential tracking;
- Training staff to be alert for phishing and related scams, and to verify all requests for taking certain actions;
- Confirming receipt of an email from a known sender via a trusted communication method or contact;
- Securing voice-over-IP servers and looking for evidence of existing compromise, such as web shells for persistence;
- Blocking malicious domains and other indicators associated with campaigns;
- Staying up-to-date with the latest health-themed scams and fraud schemes, such as those involving COVID-19 and Monkeypox;
- Considering switching the organization’s multifactor authentication setting or configuration to require a one-time password versus a push notification to mitigate MFA fatigue.