US HHS issues alert against spearphishing voice scams

The U.S. Health and Human Services, in coordination with its Health Sector Cybersecurity Coordination Center, has published a sector alert to advise on mitigations to defend against spearphishing voice scams that ultimately seek to steal electronic funds transfers.

Why it matters
User awareness training and increased security policies and procedures to improve identity verification with help desk requests can help defend against tactics that manipulate IT staff into providing access to systems through a phone call or other forms of voice communications, HC3 said in the April 3 alert.

HC3 said it recently investigated two successful spearphishing voice scams that led to legitimate payments diverted to attacker-controlled U.S. bank accounts.

“The threat actor is able to provide the required sensitive information for identity verification, including the last four digits of the target employee’s Social Security number and corporate ID number, along with other demographic details,” the agency said in its report.

“These details were likely obtained from professional networking sites and other publicly available information sources, such as previous data breaches.”

In one attack, HC3 said the threat actor claimed their phone was broken, so they could not log in or receive multifactor authentication (MFA) tokens. They persuaded the organization’s IT help desk to enroll a new device in MFA and gained access to the network, targeting login information related to payer websites.

By posing as a trusted source and creating a sense of urgency, the threat actor gained entry into payer systems and submitted automated clearinghouse change requests, HC3 said.

The agency identified several help desk policies, including requiring callbacks to the phone number on record for the employee requesting a password reset and enrollment of a new device, contacting the employee’s supervisor for verification of the need, monitoring for suspicious ACH changes and revalidating all users with access to payer websites.

“Some hospitals have implemented procedures that require employees to appear in person at the IT help desk for such requests,” HC3 noted.

The agency also outlined various MFA abuse mitigations for users of Entra ID, formerly Microsoft Azure Active Directory.

The larger trend
In some cases, social engineering attacks aim to drop ransomware to disrupt hospitals and ensnare an organization into paying a large ransom. Such was the case when OrthoVirginia, a physician-owned practice, was hit with the Ryuk ransomware in 2021.

Phishing, the most common of exploits for gaining an initial foothold into an organization’s network, can also be addressed in regular security awareness training, according to HC3.

“It is important to train your workforce to trust nothing and no one when it comes to the digital communication they receive, which now includes voicemails, text messages and phone calls,” advised Steve Cagle, CEO of Clearwater Security and Compliance, which OrthoVirginia consulted in its ransomware recovery journey.

“They need to learn to operate out of skepticism, doubting anything they can’t verify as legitimate, including QR codes,” Cagle told Healthcare IT News last year.

With artificial intelligence, cybercriminals have even more weapons to enhance the sophistication of these attacks.

On the record
“It is important to note that threat actors may also attempt to leverage AI voice impersonation techniques to social engineer targets, making remote identity verification increasingly difficult with these technological advancements,” HC3 noted in the alert. Healthcare IT News