The Federal Bureau of Investigation (FBI) has issued an alert regarding hackers targeting healthcare payment processors to route payments to bank accounts controlled by the attacker.

This year alone, threat actors stole more than $4.6 million from healthcare companies after gaining access to customer accounts and altering payment details.

Deceive the victims

Cybercriminals use a combination of tactics to obtain employee login credentials from healthcare payment processors and to alter payment instructions.

The FBI says it has received multiple reports of hackers using publicly available personal data and social engineering to impersonate victims with access to healthcare portals, websites and payment information.

Phishing and Impersonation Help Desks are additional methods that help hackers achieve their goal of gaining access to entities that process and distribute healthcare payments.

The FBI alert today indicates that this specific activity by the threat actor includes sending phishing emails to the financial services of healthcare payment processors.

They also modify the configuration of the Exchange servers and set up personalized rules for the targeted accounts, likely to receive a copy of the victim’s messages.

millions of dollars stolen

The FBI says that in just three such incidents in February and April of this year, hackers diverted more than $4.6 million from victims to their accounts.

In February, a threat actor used “large healthcare company credentials” to replace a hospital’s direct deposit banking information with accounts he controlled, stealing $3.1 million.

In another incident in the same month, cybercriminals used the same method to steal around $700,000 from another victim.

Another attack occurred in April when a healthcare company with more than 175 medical providers lost $840,000 to a threat actor who posed as an employee and altered the instructions from the Automated Clearing House (ACH).

This type of incident is neither unique nor new. The federal agency said that between June 2018 and January 2019, hackers “targeted and accessed at least 65 healthcare payment processors across the United States to replace legitimate customer contact and banking information with accounts controlled by the cybercriminals”.

Mitigation Recommendations

The FBI has compiled a short list of indicators of compromise that could help healthcare organizations spot attempts by cybercriminals to gain access to user accounts.

Organizations should consider any change to the mail server that was unplanned or that occurs without a legitimate reason to be suspicious.

Employees who request a reset of passwords and phone numbers for two-factor authentication (2FA) within a short period of time should also raise an alarm, as should reports of failed password recovery attempts outmoded.

Among the mitigation measures offered by the FBI is performing regular network security assessments (e.g., penetration tests, vulnerability scans) to ensure compliance with standards and regulations in vigor.

Additional recommendations include:

• employee training to identify and report phishing,
• engineering and spoofing attempts
• authentication or barrier layers to reduce or eliminate the viability of phishing
• multi-factor authentication for all accounts and login credentials via hardware tokens
• mitigate vulnerabilities related to third-party vendors
• company policies should include verification of any changes to existing invoices, bank deposits, and contact information for interactions with third-party vendors and organizational collaborations
• implementing protocols for employees to report suspicious activity: changes to email server configuration, denied password recovery attempts, password resets, changing 2FA phone numbers
• Immediately reset passwords for identified accounts in the event of a system or network compromise
• minimize exposure through timely patching systems and updating security solutions