HHS: Health Care IT Helpdesks Under Attack in Voice Scams – Source: securityboulevard.com

A beleaguered healthcare industry, already a top target of cybercriminals, is under attack again. Bad actors recently have been using social engineering techniques in calls to IT help desks to gain access to the systems of targeted organizations, according to an alert from the U.S. Health and Human Services Department (HHS).

Armed with sensitive personal information, the fraudsters call the help desk claiming to be an employee in the organization’s financial department. They convince the helpdesk to enroll the fraudster’s own multifactor authentication (MFA) device, which gives them access to corporate systems and data and enables them to redirect bank payments to accounts the fraudster controls. From there, the threat actors move the money to overseas accounts.

“During the malicious campaign, the threat actor also registered a domain with a single letter variation of the target organization and created an account impersonating the target organization’s Chief Financial Officer (CFO),” HSS’ Health Sector Cybersecurity Coordination Center (HC3) wrote.

Abusing Publicly Available Data

During these calls, the scammers’ calls appear to come from the healthcare organizations’ local area codes. They claim to be a financial employee involved in revenue or in an administrator role. The scammer provides the data – including the last four digits of the target employee’s Social Security Number and corporate ID number and other demographic details – that the IT help desk needs to verify the caller’s identity.

“These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches,” the agency wrote. “The threat actor claimed that their phone was broken, and therefore could not log in or receive MFA tokens. The threat actor then successfully convinced the IT help desk to enroll a new device in multi-factor authentication (MFA) to gain access to corporate resources.”

Once in the system, the bad actors target login information to payer websites, then submit forms to make automated clearing house (ACH) charges to payer accounts. After gaining access to the email accounts of employees, they send instructions to payment processors to divert legitimate payments to U.S. bank accounts they control, and then onto overseas accounts.

“While these recent campaigns in the health sector did not involve ransomware, both of these incidents did leverage spearphishing voice techniques and impersonation of employees with specific access related to the threat actors’ end goals,” HHS wrote.

In these cases, the attackers used voice technology in their spearphishing attacks rather than email or mobile messages. These cases tend to involve social engineering techniques, including impersonating a trusted source and, at times, creating a sense of urgency or alarm.

Generative AI and Voice Cloning

The agency also noted that threat actors also may use generative AI to mimic the voice of a person, a growing trend now that such AI models can impersonate a person’s voice after hearing only seconds-long recorded clips. The Federal Trade Commission last year issued a warning about such AI voice-cloning tools being used in family emergency schemes.

In addition, McAfee researchers said a quarter of 7,000 people it surveyed had been hit with an AI voice-cloning scam, with some saying they lost as much as $15,000.

Echoes of Scattered Spider

HHS said the techniques of the recent attacks are similar to those by threat group Scattered Spider – also known as UNC3944, Starfraud, and Octo Tempest, among other names – which last fall encrypted systems for gaming giants MGM Resorts International and Caesar’s Entertainment using the ransomware created by BlackCat, also known as ALPHV. The agency said the attacks on the health care and public health sectors are not being attributed to any particular group.

The department outlined steps IT help desks can take to protect against such attacks, including requiring callbacks to verify the person’s identity, monitoring ACH changes, revalidating all users with access to payer websites, and requiring employees to appear in person at the helpdesk when making such requests.

An Industry Under Attack

The voice spearphishing campaigns are only the latest assaults on a healthcare industry that has become a favorite target of threat groups, giving the large amounts of sensitive personal data such organizations hold, the high numbers of connected devices they use, and their reputation for having poor cybersecurity protections.

Ron Southwick, national cybersecurity adviser for the American Medical Association (AMA), said late last year that about 106 million people were affected by cyberattacks on health care organizations in 2023, compared with about 44 million the year before.

The AMA is trying to get more proactive in how the industry deals with cyberthreats. The group last year, through its Health2047 venture studio based in Silicon Valley, invested $2.3 million in HEAL Security, a startup developing a cybersecurity intelligence platform for the health care industry. The AMA last month announced that the company launched its flagship product, HEAL Security Desktop, which consolidates global health care cybersecurity data and insights into a dashboard that organizations can evaluate and act on to protect against threats.