Vulnerability Management, Vulnerability Management, Email security, Risk Assessments/Management

HC3 alerts to social engineering risk, rise in vishing attacks on healthcare

Share
Provider organizations are being urged by HC3 to review guidance on vishing and social engineering attacks given the rise in successful attempts against healthcare. (Photo credit: “Emergency Call Center” by Kecko is licensed under CC BY-ND 2.0.)
Provider organizations are being urged by HC3 to review guidance on vishing and social engineering attacks given the rise in successful attempts against healthcare. (Photo credit: "Emergency Call Center" by Kecko is licensed under CC BY-ND 2.0.)

Healthcare delivery organizations should work to address potential risks posed by a rise in vishing attacks against the healthcare sector, as well as the ongoing threat of social engineering attempts, warns Department of Health and Human Services Cybersecurity Coordination Center.

Two new white paper alerts detail the ongoing threats and recommended remediation to prevent falling victim.

HC3 has observed a “marked increase” in vishing, or voice phishing, attacks in the last year across all sectors. The method is used by advanced persistent threat groups or state-sponsored actors, leveraging voice-changing software to trick victims into installing malware. 

The objectives of these attacks are usually to obtain sensitive information or distribute malware. One of the more recent victims was a large organization that fell victim to a sophisticated vishing attack, which enabled an actor with access to their network. 

First introduced by BazarCall/BazaCall, the callback phishing attacks were first observed in March 2021 and targeted corporate networks with ransomware attacks. Reports show the use of “hybrid vishing” saw a 625% growth during Q2 2022, which first connects with the victim via email before calling them.

Past healthcare vishing targeting led to the exploit of a Michigan health system in September 2020, whether the threat actor posed as an employee in an effort to steal member numbers and protected health numbers. In this specific incident, the “fake phone calls even ‘spoofed’ caller ID and appeared to be originating from a legitimate phone number belonging to the… entity.” 

A successful vishing attack or call-back phishing can allow an attacker with user credentials to potential bypass multi-factor authentication. HC3 warns providers “with high confidence that threat actors will continue to evolve their tactics, techniques, and procedures when conducting phishing attacks due to prior success in gaining initial access.”

In fact, recent research found a method to leverage a series of emojis to deliver an exploit. HCS notes that “while this method requires specific circumstances to occur for the emoji exploit to work, this demonstrates the constantly evolving threat landscape and difficulty in detecting malware.”

HC3 warns that healthcare entities should remain alert to this evolving threat, as social engineering techniques remain a successful tactic for threat actors in gaining initial access to targeted entities. Specifically, providers should emphasize user awareness training to defend against these tactics.

The alert contains details on how to detect vishing threats, a sample vishing attack email, and effective mitigations.

Social engineering tactics detailed in HC3 alert

A second HC3 alert release on Aug. 9 provides healthcare entities with detailed insights on social engineering tactics used by attackers against the sector, including further vishing guidance, deep fakes, traditional phishing, whaling, and business email compromise.

Data shows that phishing attacks are among the most common threats against healthcare, following ransomware. In Q4 2021, phishing attacks made up 42% of overall attacks against healthcare, followed by vulnerability exploit with 31%.

Detecting phishing or social engineering attacks in healthcare and other large organizations, given the volume of communications and “members do not always know their fellow coworkers.” Attackers leverage these attacks against providers due to its penchant for using work arounds and the overall desire to help.

HC3 breaks down the typical tactics, such as password updates or an unlocked computer, as well as the specific threat to healthcare organizations and recommended steps to protect the organization. Previous research has confirmed that training and education indeed reduces the risk phishing poses to an organization.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.