Threat actors have stolen significant amounts of money from healthcare payment processors by redirecting payments to their own bank accounts, the FBI warned on Wednesday.
The cybercriminals used a combination of tactics, techniques, and procedures (TTP) to steal Personally Identifiable Information (PII) from payment processor employees. Then, they impersonated their victims and gained unauthorized access to files, payment information, websites, and healthcare portals.
According to the FBI, the tactics that the threat actors used to gain unauthorized access to users’ accounts primarily include phishing attacks and other forms of social engineering.
During an attack in February, the threat actors stole $3.1 million by switching the direct deposit information of a hospital to a rogue bank account. Later that same month, a similar method was deployed to steal around $700,000 from a different provider.
In April, a cybercriminal also stole around $840,000 from a healthcare company with over 175 medical providers by acting as an employee and changing Automated Clearing House (ACH) instructions for one of the payment processors.
“From June 2018 to January 2019, cyber criminals targeted and accessed at least 65healthcare payment processors throughout the United States to replace legitimate customer banking and contact information with accounts controlled by the cybercriminals,” said the FBI in its announcement on Wednesday. “One victim reported a loss of approximately $1.5 million. The cybercriminals used a combination of publicly available PII and phishing schemes to gain access to customer accounts. Entities involved in processing and distributing healthcare payments through processors remain vulnerable to exploitation via this method.”
Additionally, the FBI’s announcement listed some indicators of compromise to help organizations identify threat actors attempting to access user accounts, including:
- Failed password recovery attempt notifications.
- Unauthorized changes in email exchange server configuration or custom rules.
- Phishing emails targeting key accounts.
- Suspicious social engineering attempts against high-clearance accounts.
- Unrecognized requests to reset passwords and 2FA phone numbers.