A cybercriminal group is targeting health system IT help desks in a new scheme to gain access to the organization's computer systems and divert payments, according to an April 4 warning from the American Hospital Association.
The cybercriminals are stealing the identity of revenue cycle and finance employees to request password resets and new device enrollment from the IT help desk. Once the new device is enrolled, the threat actor has a "phishing-resistant" multi-factor authentication and can access the employee's email and other accounts, according to the AHA.
The threat actors reportedly have used their access to divert payments into fraudulent bank accounts and insert malware into the system.
The AHA recommended health systems:
- Tighten IT help desk security protocols
- Require the employee to call back from the number on record
- Initiate a video call to request a password
- Require a photo of the employee with a government-issued ID sent before making changes
"This scheme once again demonstrates how our cyber adversaries are quickly evolving their tactics to defeat technological cyber defenses through social engineering schemes," wrote John Riggi, AHA's national advisor for cybersecurity and risk.
The FBI has been able to help recover diverted payments for health systems if notified within 72 hours of the diversion, according to the AHA. The scheme first came to light in January and has continued to hit hospitals over the last three months.